Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The Implications of Google’s Forced SSL/TLS Adoption

DZone's Guide to

The Implications of Google’s Forced SSL/TLS Adoption

Let's take a look at how Google is enforcing the move to HTTPS and the impacts of SSL/TLS adoption on SEO and your user experience.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Over the past few years, we’ve been reading a lot about the transition from HTTP to HTTPS. It boosts your SEO, improves your site’s reliability, and ensures that your users’ data is safe.

Most importantly, that’s something Google wants you to do. Namely, they’ve invested a lot in spreading HTTPS over the web, making notable browser changes, displaying security warnings to users, making HTTPS a ranking factor, and introducing various projects and policies.

a study by SEMrush shows
So, here is how Google forces sites to have an SSL certificate and why it is important to do so.

The Impact on SEO

Google has definitely invested a lot of effort into promoting and supporting the implementation of HTTPS. And, one of their most significant strategies was to make SSL a ranking factor. Even though they described it as“a very lightweight signal affecting fewer than 1% of global queries and carrying less weight than other signals”, it can still be of critical importance to your SEO efforts.

Namely, Backlinko has recently done a comprehensive research and analyzed 1 million Google search results. They found out that those sites that switched to HTTPS rank higher. But, Backlinko’s Brian Dean still describes this association between rankings and HTTPS as not especially strong.”

So, how can SSL impact your rankings?

First, there is always a chance that they will decide to make it a big deal in the.

Second, SSL should never be observed in a vacuum. Apart from encryption, it also brings numerous other benefits to the table, such as the HTTPS schema that improves your click-through rate or HTTP/2 that boosts your website speed. In other words, the adoption of SSL impacts other, major ranking factors and may make or break your website’s performance in the SERPs.

So, if you still believe that switching to SSL/TLS is not worth all these technical headaches, just remember that 3.5 billion searches are made on Google every day and that this search engine is still the major source of your website traffic.

And, using SSL/TLS is your chance to rank and look better on Google, as well as boost your visibility among billions of similar sites.

The Use of Security Indicators Affects User Experience

Google’s main aim is to make its users’ browsing experience safer and more pleasant. This is why it has decided to make browsers paranoid about the sites that haven’t moved to HTTPS yet.

You probably know that a site using HTTPS has a green address bar and a padlock, proving that users’ data is safe there. But, the way they treat sites still using HTTP has changed drastically. Earlier, when a user landed such a site, they would come across an “i” sign and, by clicking on it, they would see a warning telling them that the site is not secure.

However, in early 2017, Google announced that they will display warnings when users are asked to enter any information over an HTTP connection, not just passwords or credit card data. In other words, if a user submits their email address or searches for products on a site not using HTTPS, they will immediately see the “Not Secure” notice. Those searchers using Incognito mode will even be able to see that warning when landing on any site that is not encrypted, even if it doesn’t ask them to perform any action.

Of course, Google is planning to take these initiatives to the next level, by displaying the “Not secure” message for all HTTP sites to all searchers, even those outside Incognito mode.

And, this sounds legit, given the fact that 40% of the 100 top ecommerce sites still don’t use HTTPS. In addition, Mozilla’s researchers claim that more than 40% of the web traffic has not been encrypted yet.

So, the only way to stay relevant to your customers and make your site trusted is to start using HTTPS.

This sounds like a good plan but it’s still full of numerous holes. Namely, there are many trustworthy online retailers that really encrypt their passwords and credit card information, but haven’t switched to HTTPS entirely. Even though these sites are trustworthy and legitimate, Google will still show security warnings and may scare buyers away.

The Rise of the CT Policy

To offer encrypted traffic to their visitors, a site owner first needs to apply for a certificate from a reliable Certificate Authority. This certificate is then shown to the browser so that it can validate it. The problem is that there are numerous structural flaws in this whole HTTPS certificate mechanism and many CAs are prone to manipulation. By launching Chrome 66 and introducing the Certificate Transparency project, they’re planning to make the certificate issuance process safer.

On February 2018, Google’s engineer Devon O'Brien pointed out the importance of the Certificate Transparency logging policy:

“Chrome will require that all TLS server certificates issued after 30 April, 2018 be compliant with the Chromium CT Policy. After this date, when Chrome connects to a site serving a publicly-trusted certificate that is not compliant with the Chromium CT Policy, users will begin seeing a full-page interstitial indicating their connection is not CT-compliant.”

Certificate Authorities will have to write the certificates they issue to publicly-verifiable logs. And, the certificates issued by those CAs that refuse to do so won’t be accepted in the future. For not, there have been 1,527,291,926 entries made and this initiative will prevent a wide range of certificate-based problems that may spiral down to the end-user, exposing them to numerous attacks and privacy problems, including server impersonation or man-in-the-middle attacks.

The Number of Sites Moving to HTTPS is Growing

Finally, sites are migrating to HTTPS impressively fast. Namely, a study by SEMrush shows that the number of websites marked with a green padlock has grown from 7.6% in 2014 to 31.5% in 2017. Furthermore, 41% of the top 5000 sites have already switched to HTTPS.

And, there is no doubt that Google will keep evangelizing and forcing the HTTPS adoption in the future.

So, you should move from HTTP to HTTPS as soon as possible and try to go through this process avoiding major bugs or drastic ranking or traffic drops.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,google ,ssl ,tls ,https

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}