New HTTPS Not secure warnings
Danger, Will Robinson!
Alright. So, last week what happened? Google finally started sending out these sorts of announcements. Have a look at this.
HTTPS Not Secure Warnings In Chrome
If you got one of these, and you’re a retailer, you better act on it, all right? Because, what Google is saying now, so HTTPS right, it’s been a thing for the past year, Google originally said that, back in, I think it was 2014, that if you went to HTTPS it would have some sort of ranking boost. It’s really marginal. And people who were doing it for a ranking boost, forget it. You’re not getting it as it’s going to be almost immeasurable.
What does happen when you move to HTTPS though, is that it can be a lot of turmoil, a lot of tumult, and the reason for that is that you’re changing all your URL’s, essentially. The other thing that happens with HTTPS is that it slows your site down, your page load time down marginally, because there has to be a lookup done to actually get the certificate and everything else, right? So there’s anywhere between 100 to a couple 100 milliseconds increase in page load time when you move to HTTPS, so there is that as well.
But, what is particularly scary about this announcement, and this wasn’t even an announcement, it was just a whole bunch of warnings sent out on Friday, is that it’s saying here if your site has ‘fields’ such as input type text, well that’s any form, right? That’s a search form, that’s a inquiry form, that’s a whole-any form that is on your site and is going to start showing “not secure”.
Not Secure
So, what does that look like? Well, let’s go have a look at say one of Australia’s Telcos, one of the worlds larger Telcos. And you can see here this is Vodafone, you can see up here in the browser we’ve got “not secure’, so the browser I’m using at the moment is a Chrome beta version.
It’s not clear at this stage, whether these warnings will turn red like I’ve got here. This is just a setting that I’ve got in Chrome to see what these things are going to look like.
But, what will happen, is that you will see notifications like the, “Login not secure” on say a password field. On a form, we don’t yet know, I’m assuming that it will say “not secure” when you go to put data into a form.
Now, if this turns red, so we’re already getting this on a lot of sites at the moment, right. Any site that doesn’t have HTTPS at the moment will have a “not secure” warning, especially on their login pages and those sorts of things. But Google’s saying that itÕs going to be on every page. Every page that is not HTTPS will have this “not secure” warning.
So, who will that affect? Well, in Australia, if I’m just doing a search here for shoes, and I’m saying, “Only show me results that are not secure”. So I’m saying don’t show me HTTPS results, and you can see here we’ve got Australia’s biggest retailers basically. So I’ve got ASOS, we’ve got David Jones, we’ve got the Iconic, we’ve got … who else, oh there’s a whole bunch there, right. So, Cotton On, Betts, wow, there’s … Kmart. I mean, y’know, this is going to affect a lot of Australian businesses if you don’t do that.
What’s going to happen is that conversions will drop through the floor, okay? So, if you are a retailer, this is going to affect you probably more so than a service business or anything else, anybody else who’s not selling online, but you’re going to run a million miles if you’re a consumer and you see that the site you’re on is not secure when you’ve got your credit card ready, you’re not going to hang about, you’re going to move.
It’s also affecting, and is going to affect, a lot of Government sites as well. So, if we say sites.gov.au. So we can see here that the Australian Council, the High Court of Australia is insecure, the Defence Department is insecure, so you’re going to know the Defence Department’s gonna say, “Nah, your Defence Department’s insecure, buddy.” You know they will.
Here’s another one it will affect too. Well, why don’t we just go “phones.” And you will see here it will affect Harvey Norman, which is arguably one of Australia’s biggest retailers. Optus, Virgin, LG, Kmart again with Vodafone. There are also our biggest publishers. Sydney Morning Herald, Fairfax, Herald Sun, they are all insecure, and they’re all gonna get hit by this update.
Now, Google are saying you’ve got until October to do it. So you’ve got essentially a month. And you’re going to need that, especially these big sites.
HTTPS Transition
One strategy that you might want to try, if you’ve got a massive site, and this is going to be a huge undertaking for your organisation. You could always wait until this turns to “not secure”, and find out what happens to your transactions and then make some plans, or have some plans ready. But from what we’re seeing, if you have a site that is transacting in any way, and people start seeing “not secure”, not only up here in your browser, but in your forms, that’s going to push your conversions through the floor.
This is the list of tasks that we do to go through HTTPS, so it’s not an insignificant task to undertake. It’s quite complex, it’s quite a lot to do, and there are little things that can trip you up along the way. So, of course, if you don’t want to do it we’ll do it for you, obviously. But, when you’re doing it, the key things are: make sure everything is redirected, okay? Make sure all your HTTP individual pages are redirected to their equivalent on the HTTPS. Make sure all your other assets – your JavaScript, your CSS, your images, all those sorts of things, are also at HTTPS. Make sure you do a crawl after you’ve gone live with HTTPS to make sure you don’t have any HTTP URL’s left from your own site, in the site. And make sure that HTTP does actually redirect.
So, we’ve seen some hosting companies just switch HTTPS on, which is bad. Because, what happens then is that all your HTTP 404’s if you haven’t redirected them, and sometimes what we also see happen is that they leave the HTTP on and the HTTPS, so you have two versions of your site live, which is basically duplication. So also incredibly bad. But, you need to do this. So, there’s a couple of retailers we’ve been holding off on, on our own … Because we’re looking at HTTPS and you look at the risk versus reward always, right, with these things. And up until now, the bump from HTTPS, the ‘uptick’, really hasn’t been big enough to justify the turmoil that going through a HTTPS change involves. So we’ve held off. And there’ve been HTTPS at the shopping carts, obviously and those sorts of things. But just not at the rest of the site. Like all the retailers I showed you before.
However, you’re going to see a drop off in people actually getting to the shopping cart now, because they will see these “not secure” warnings. So now you go, “Now we have to do it”. And Google said they were always going to do this, so it was always going to be a carrot and stick approach, to push the world and site owners to HTTPS. And in case you don’t know what HTTPS does, basically it just stops what we call “man in the middle attacks.” So, it just means that a user, when they’re on your website, everything between your website and them is encrypted. So nobody can intercept a transaction and grab their password or their credit card details, or anything like that. That’s what HTTPS does. But, if you are a retailer, you’re going to have to do it now.
Hopefully that’s helpful. And if you need a hand, just hit us up! And if you’ve got anything out of this show, please, subscribe and share it with your friends and we’ll see you next week. Thanks very much everyone.
Oh, by the way, speaking gigs over the next week, in Brisbane for the Advisor Boot Camp. Hope to see a bunch of you there. In Sydney on Thursday, hope to see a bunch of you there, again at the Advisor Boot Camp and then next week we’ve got Melbourne and of course Queenstown, we’ll see you there. But I’ll catch up with you before then. Thanks very much. Bye.
Update: We’re discussing this on the Switzer Sky Business program this Tuesday (12/09/2017) at 7:30pm, tune in then or read up about it here.
Jim’s been here for a while, you know who he is.
