Confused About Google Chrome’s HTTPS and Symantec Regulations? Here’s What Publishers Need to Know
Google, the company behind the world’s most popular search engine and web browser, has made a number of significant changes in the last year. While these changes aim to create a safer place for users, it is website owners and managers that need to make adjustments to keep their sites up and running.
This article will go over the Chrome’s new HTTPS and Symantec-related regulations, explain why the tech giant has decided to make these changes, and discuss what you need to keep your site running in optimal condition.
Google’s Push for HTTPS Websites
It’s a well-known fact that Google has been pushing to create a safer browsing experience through encryption for some time now. Two years ago, the company announced its plan to gradually start labeling websites that used HTTP protocol as “not secure” with the aim to push their owners to use HTTPS.
For those of you who may be wondering, the difference between HTTP and HTTPS is that the latter uses TLS or SSL encryption. In other words, HTTPS sites protect the information being sent to and from their servers, preventing Main in the Middle and other types of cyber attacks.
While the announcement was not welcomed by all critics, Google’s decision has pushed for the widespread adoption of secure encryption as the new standard. Recent studies found that, for the first time ever, more than half of Alexa Top 1 Million websites are using HTTPS. Even government pages have started adopting this practice, with a whopping 37 out of the 50 States in the US implementing HTTPS on their websites at the time of writing.
This shows a positive change as website owners and managers are creating a safer experience for users. But, this also means that publishers that don’t make the necessary changes may see negative repercussions.
The “Not Secure” Label and Future Red Warning
Google started labeling HTTP websites as “not secure” in July 2018. Additionally, in October of this year, the company also plans to add a red highlight to the warning every time consumers enter data on these websites.
What does this mean for publishers exactly?
Users spend more time on websites they trust. And, most consumers trust that fact that big companies like Google will provide a safe browsing experience. This means that if your website is labeled as “not secure” then chances are the traffic on your site will decline drastically.
Avoiding the “Not Secure” Warning
Publishers, site owners, and web managers need to implement HTTPS on their websites to make sure they are not hit with a warning sign. Google provides a set of tips and best practices here, but you may want to contact your development team or IT department to help you with the setup.
The Symantec Security Certificates Conundrum
Besides the fact that Chrome will be labeling HTTP websites, Google has also starred in another controversial decision that also involves security. After a series of suspicious incidents implicating questionable authentication certificates, Google announced that they would be distrusting all security certificates issued by Symantec.
As you may already know, Symantec has been a leading authentication certificate provider for the last decade. However, numerous security issues have emerged over the past several years due to Symantec’s own infrastructure.
Google’s Decision to Distrust Symantec Certificated
These multiple issues ultimately led to Google’s announcement, which in simple terms states that websites that use Symantec TLS encryption certificate (including Thawte, GeoTrust, and RapidSSL) issued prior to December 2017 will not be accessible through Chrome. This will also affect various subsidiaries, with some exceptions, so we suggest you look at some of the authentication certificate tools
The final change will take effect in the stable distribution of Chrome 70, which is scheduled for October 16th, 2018. On the other hand, the beta version of Chrome 70 was released August 30th, which means that websites running Symantec-issued certificates are missing out on some traffic already.
It’s imperative for publishers to review their authentication certificates and make sure they are valid before the stable version release date.
Symantec has promised to replace the affected authentication certificates with new ones at no cost to their customers. As these will be issued after December 2018, they will have all validity in the eyes of Google.
At the end of the day, each case is different, so we advise you check your certificate to make sure it was not issued directly or indirectly by Symantec. If that’s the case, we suggest you contact your current provider or find a company that can issue a valid certificate before Google rolls out Chrome 70.
Firefox Pledges to Distrust All Symantec Certificates
The problem with Symantec’s inconsistent certificates was first identified and discovered by Mozilla. Back then, the creators of Firefox pledged to distrust all certificates issued by Symantec.
Since then, DigiCert has purchased Symantec’s web security PKI solutions, but this has not changed Mozilla’s commitment to severing ties with all related certificates. Similarly to Chrome, the timeline for the Mozilla’s final implementation is due on October of this year with the release of Firefox 63.
Unlike Google, Mozilla is not accepting any certificates issued by Symantec even after they were acquired by DigiCert. Websites that rely on heavy Firefox traffic will need to find a new provider if this is the case.
How to check your certificate?
On September 13, Google will remove trust for all certificates issued by Symantec, including Thawte-, GeoTrust-, and RapidSSL-issued SSL/TLS certificates.
You can check whether you have to replace your certificate with SSL Certificate Checker. The tool will provide you with info on what steps you should take next.