Google recently announced that its Chrome browser will soon start flagging every website not using HTTPS encryption as “not secure.” With this “Chrome 68” update slated for a July 2018 release, the time to act is now.

These proposed “flags” aren’t hidden behind the scenes, either. As part of Google’s push for a secure web, they’re taking security from being a top-of-mind item – and are placing it right in the corner of our eyes. Look to see large, imposing red icons of ‘unlocked’ padlocks (not pictured in example above) with accompanying bold text reading “Not secure” popping into Chrome omnibars right next to unencrypted websites’ URLs. A literal ‘big red flag.’

Whether you feel your site is secure or not is going to be irrelevant come this July. If you’re in eCommerce, buyers won’t think twice about ditching your site when there’s a big red icon telling them they can’t trust you.

But what about the rest of the Web?

WHY IS GOOGLE’S HTTPS UPDATE IMPORTANT FOR ALL WEBSITES?

Google’s already rolled out in-omnibar security notifications on some sites, something they began doing as early as 2016. Specifically, those sites that contain billing and credit card information forms, and certain sites that use and collect people’s personal data for transactional and other purposes. With this new update, though, every single website will be receiving this treatment in Chrome whether they use these forms or not.

But what if you’re not so sure that much of the traffic your site gets is mediated by Chrome? Is it safe to assume that enough of your users are on another browser like Microsoft Edge? In short: No way.

At the time of this writing, Google’s Chrome browser holds a staggering 57.4% of the global web browser market share (up from 52.8% just one year prior). For perspective, other flagship browsers like Apple’s Safari and Mozilla’s Firefox trail behind Chrome at just 14.4% and 5.5%, respectively.1 And above all else, that’s why this “Chrome 68” update matters to you: If you’re interacting with your customers online, there’s an overwhelming chance (in the ballpark of, well, 57%) that when you do, they’re using Chrome.

HOW HTTPS AFFECTS E-COMMERCE, YOUR SITE’S VIEWERS, AND YOUR SEO RANKING

If you’re in eCommerce or are managing an eCommerce website, what this all really boils down to? Sales. A recently conducted GlobalSign² study found that 84% of users reported they would abandon an online purchase if they found or were informed that the site was not secure. If the browser-share numbers are anything to go by, that’s 48.2% of your total customer base who will, statistically, refuse to support your business. That’s nothing to be ignored.

And speaking of, don’t be surprised if once-faithful patrons of your website or business begin falling by the wayside and begin ignoring you. In eCommerce, where the interactions between buyers and sellers are already inherently abstract, making meaningful, tangible connections is everything. All that trust you’ve worked to build within and without your community? Out the window, once users associate you with risky business practices.


But okay, let’s grant that in some ideal scenario, the consumers your eCommerce business markets to are all non-Chrome internet browsers. They use Firefox, they opt-in to Safari – but they’re still surfing the web. What happens when they search?

Two forms of encryption have become the standard for keeping browser data secure – Transport Level Security (TLS) and Secure Sockets Layer (SSL). While we won’t need to go into what these different encryption approaches are, what matters is that having either at all on your site means you get a search ranking boost from Google’s site-crawlers. If you’re lacking encryption, expect to enjoy a cozy (read: invisible) slot below your secure competitors on Google’s results page. If you end up on page 3, be sure to send us a postcard. We’ve never seen it.

So is it all worth it to make the switch to HTTPS encryption? If you can’t tell already: Yes. Overwhelmingly.
How do you do it? Read on to find out.

WHAT ARE THE STEPS TO TAKE TO BECOME SECURE?

If you’re now convinced that encryption is the way to go, there’s going to be some work you’ll need to do to get there. Luckily, becoming “certified secure” is relatively simple (though can be time-consuming) for companies in any stage of their growth, often automated, and in almost every scenario, certification can be absolutely free.

PROCURE YOUR OWN DEDICATED IP

If your site’s up and running already, you already have an IP address. Some domain services, though, offer shared IP plans. When you’re IP’s dedicated, it means any traffic going to that IP address is going to your website and your website only. Sound like you? Perfect. Because here’s where the work begins.

FIND YOUR CERTIFICATE

When it comes to finding the certificate that’s right for you, you’ll need to figure out which of the three SSL levels suit your service. These are:

DOMAIN VALIDATED (DV)

Simple Certificate Authority verification which corroborates that whoever requested the SSL certificate is actually the owner and admin of the domain in question. Visitors see a green padlock icon in the omnibar, but no owner-specific info.

ORGANIZATION VALIDATED (OV)

Requires Certificate Authorities to confirm that the business or site making the certification request is registered and legitimate. Users are able to click the green padlock icon, and the business’ name is listed in a dropdown.

EXTENDED VALIDATION (EV)

Requires even more documentation for Certificate Authorities to validate the SSL request. Visitors to your site see your company name right in the omnibar – although, as with OV, clicking the padlock icon will show the name, too.

Once you’ve got that down, you’ll need to choose: Paid, or Free? When making this decision, it’s important to note that there’s no difference in the legitimacy of a paid vs. a free SSL. What you’ll be paying for is implementation and in most cases, ongoing support. If free sounds better, and you’ve got a little workable time on your hands, we see nothing wrong with opting for the free route. That’s what the rest of this process-guide will focus on.

Several projects, like Let’s Encrypt, ZeroSSL, and others are great places to start. Let’s Encrypt even offers umbrella certification for companies with multiple subdomains. And for total back-end site-security, Google’s own Lighthouse offers tools to ensure that each of the individual elements of your website is HTTPS-compliant. Too, many hosting services offer free SSL deployment, so check your host’s support channels now to see what’s up for grabs. Because hey, if it’s out there, use it!

INSTALL YOUR CERTIFICATE

Because the actual installation of your certificate will vary depending on your operating system (Windows, Ubuntu, Mac, etc.), your company’s server software (Apache vs. Nginx, etc.), and which option you choose (paid support vs. DIY), we’re going to gloss over this portion. But that’s okay! The free certification service options all have detailed, in-house, step-by-step guidelines to help you through it – and if you’re paying for the job to get done, it’s already out of your hands.

UPDATE YOUR SITE TO USE HTTPS

Finally, you’re going to need to do a smidgen more bow-tying before your SSL’s ready to ship, so to speak. Be sure to:

• Route to / Force HTTPS. To make sure that all traffic goes to your newly certified site through encryption, you might have to do something like edit your .htaccess file. That'll be in the root of your site (though you might need to show hidden files to find it), but it can also be very dangerous to your site’s proper functionality if you’re not precisely sure how or what to edit. Additionally, VPS Apache and Nginx users each have their own separate courses of action. But again, no matter what, the SSL service you choose will walk you through getting it just right. So protip: read all the instructions first, and you’ll know you’re set.
• Triple-check for Mixed Content Warnings. Sometimes you’ll have linked resources on your website (images, videos, etc.) that load through plain old HTTP by default. Aside from unwanted or incorrect browser-based content warnings popping up on users' screens when they shouldn’t be, this can break site functionality and usability. Don’t worry, though. There are SSH-access commands you or your dev team can run to batch-search your entire domain, easy.
• Note: HTTPS doesn’t necessarily mean that on-server information or data’s secure. HTTPS only protects the transfer of data from your visitor's points of access to your site/servers and vice-versa. It keeps them safe on their afternoon drive to the bank – once they’re in the parking lot, the rest is on you.

And that’s what you need to know about HTTPS. Use these tools, secure your site, and do it by July. Because once Chrome 68 drops, there’s no going back. Fortunately for your bottom line, you got here first.