Sucuri Blog

Website Security News

Google Warnings For Form Input Over HTTP Coming in October

EspanolPortugues

For years, Google has been actively seeking ways to encourage website owners to implement SSL certificates. SSL allows websites to be accessed over HTTPS, which encrypts information sent between the visitor and web server. If you are considering enabling HTTPS on your site, we have a guide that can help you implement SSL for free through Let’s Encrypt.

Recently, we discussed how Google is moving from a reward system to a punitive one. Websites using SSL continue to get an SEO boost since it became a confirmed ranking signal in 2014, but we noticed a few months ago that Google was blacklisting non-HTTPS websites that allowed password fields and credit card forms to be filled.

In just over a month, Chrome version 62 will be released, and websites with any kind of text input will require an SSL certificate if they want to avoid a “Not Secure” warning in the address bar.

Email from Search Console to users of HTTP websites with unencrypted form input.
Make sure your site is verified in Google Search Console to enable email warnings and notices.

It’s unclear at this point if this is a step toward blacklisting sites that take form input without SSL. If so, it makes sense from Google’s perspective. As more sites adopt SSL, the remaining websites will require additional incentive to make the switch. We’ve seen Google ramp this up continuously, and we don’t expect any change in pace.

Users, as we know, often don’t notice the “Not Secure” warnings. The onus is on service providers and website owners to protect their users from unknowingly sending sensitive information to their servers, and Google is taking on the role of policing this.

Is Your Site Affected?

Here are a few questions to ask yourself:

  1. Does your site take any text input? This includes contact forms, search bars, login panels, etc.
  2. Is your website using HTTP:// in the address bar?

If you answered “yes” to both of those questions, you need to implement SSL to avoid showing a “Not Secure” warning in visitor’s browsers. You should also be forcing HTTPS on your site to avoid having users accidentally access the non-encrypted version of your site.

How to Get SSL

Often, your host will have options for enabling SSL. Many hosts even have a one-click SSL option which allows you to auto-generate a free Let’s Encrypt certificate. If you are a Sucuri customer, all plans include free SSL certificates.

Note: There is no difference between paid SSL certificates and free ones when it comes to the level of encryption. If you require more support, you might consider paying for one.

To implement a free Let’s Encrypt certificate on your own server:

  1. Gain administrator access to your web server (sudo over SSH)
  2. Find out what operating system and server software you use.
  3. Get the right instructions for your server at the CertBot website.
  4. Follow the steps to generate your certificate and enable auto-renew.
  5. Take care of any mixed content warnings using plugins or manual fixes.
  6. Verify your HTTPS site in Google Search Console (if you haven’t already).
  7. Submit a new sitemap with your updated URLs.

You may need to contact your host to get the information and access you need.

Conclusion

It’s been more than a year since Let’s Encrypt left beta; it’s time for all website owners, hosts, agencies, and service providers to make the jump. There is increasing evidence that the longer you wait, the more risk you have of becoming blacklisted or labeled as “Not Secure”.

In July, at MozCon (a prominent event for SEO), Dr. Pete gave a talk on the top tips for SEO in 2017. At the top of his list was a recommendation to implement SSL. The benefits and risks are becoming hard to ignore.

According to Firefox telemetry, almost 60% of web pages today are loaded via HTTPS. We expect this number to increase as Google finds more ways to penalize sites that should be using the encrypted protocol to protect sensitive input.

From our perspective, this increased focus on SSL is a good thing for website owners. Hopefully, this leads to more interest in website security in general, because unfortunately, even with SSL, websites are still at risk of being hacked and controlled by attackers.

The distinction here is that SSL does not mean the website is secure. While HTTPS keeps the visitor’s information secure in transit, SSL doesn’t do anything to protect the website from being hacked.

Our website security platform includes a free SSL certificate, allowing your site to be accessed over HTTPS – and also comes along with ongoing monitoring, protection, performance improvements, and immediate help for hacked websites. If you are looking to implement SSL for free, try our DIY guide.

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions