Last update : 17 September 2020
Google announces its position on HTTPS protocol
At the beginning of 2015, the Google Chrome security team declared all web browser publishers (Apple, Microsoft, Mozilla, etc.) to explicitly indicate that sites that do not use the secure version of the HTTPS protocol are considered “unsecured”. Until now, the practice was the other way around since sites that did not use the protocol had no indication while now we can see a padlock next to the secure sites:
If a security problem is detected, the lock is shown with a small x on top of it to warn users about security risks. With this proposal, any site that does not use the HTTPS protocol will automatically have an X’d out lock, which can reduce the confidence of a site’s visitors and therefore their traffic. This announcement from Google will no doubt influence many web designers and site owners to take this action seriously.
Mozilla joins the HTTPS movement
Last April, Richard Barnes and Steve Workman, in charge of security at Mozilla, proposed to make certain information accessible only if the site that proposes it respects the protocol. They did not explicitly detail what information will be affected, but announced that it would affect anything that appeals to users’ personal information, including geo-location.
For now, only sites that collect information about their visitors are really affected by this measure but it is already announced that the process will intensify in the coming months.
HTTPS would promote better referencing
Google announced earlier this year that HTTPS-enabled sites would benefit from search results compared to other sites deemed less secure. However, Google has indicated that this signal is of little importance in terms of content quality, user experience or code optimization.
Today, it is estimated that about 1% of the search results are affected by this change but Google tries to reinforce the weight of this measure in order to incite the owners of sites to adopt this security protocol.
On the other hand, as explained above, more and more sites will have to adopt this protocol in order to be able to display all the necessary data and also to avoid being required to mention the “X’d out lock” which risks damaging their image with Internet users.
HTTPS and mixed content
A web page is composed of a set of resources (images, texts, style sheets, etc.) that sometimes load using the non-secure version of the protocol. This is called mixed content.
With this measure, this type of content can be blocked by browsers and the famous X’d padlock will appear, probably prompting the user to leave the site while the page is secure.
However, as this problem has already been identified, a new Content Security Policy (CSP) is being deployed for Chrome and Firefox browsers: upgrade-unsecure-requests.
The purpose of this feature is to require browsers to search for a resource in the non-secure protocol if it is not in the HTTPS.
Conclusion and tips
If you plan to sell products online, collect personal information (or if you already do), it would be worthwhile for you to consider equipping yourself with a security certificate. In any case, most payment modules will ask you to equip yourself so that you can integrate them on your site.
Please note that there are free security certificates: https://letsencrypt.org/