HTTPs is a requirement for your website

About a year ago, I have published an article about HTTPs usage growth: Chrome, Firefox and Google Search: HTTPS forcing its way. In this article I detailed some major announcements, that would probably result in pushing HTTPs forward.  

Ever since, requests using HTTPs reach 25% according to HttpArchive data (compared to 15% in April 2015).

In this post, we’re going to focus on today’s results of the previous announcements, on the last changes, and especially on why you should consider HTTPs as a requirement for your website (not only for security or SEO considerations!)

Chrome: HTTP will clearly appear as non-secure.

We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web. […] We know that people do not generally perceive the absence of a warning sign.

That’s how Chrome Security Team announced their plan to highlight explicitly a security issue with a warning sign on every website using the conventional HTTP.
Until now, it was the opposite: a website using the HTTPS had a positive visual signal (represented most of the time by a padlock next to the URL).

Chrome Https green padlock

What about today?

You may already know the answer if you’re using Chrome: there is no change yet. Nevertheless, the setting is available, from chrome://flags you should be able to enable the mechanism in a few seconds:

Chrome Setting to Enable non-secure HTTP signal

Here’s the result you’ll get when browsing a non-secure website after enabling the setting:

Unsecure URL flag result in browser address bar

We can easily imagine that the general public would be worried by such an icon while browsing its favorite websites. It’s actually one of the reasons why Chrome team delayed its initial plan to adopt this setting by default in 2015, because there are still too many websites using non-secure HTTP.
However, Chrome Team has confirmed recently (January 16th) the plan.

Firefox appears to have the same policy. The 43 version has introduced new icons within the network timeline, in order to highlight security considerations. The non-secure HTTP representation is the same than  the chrome one: a crossed out padlock.  Moreover, the developer edition of the 46 version warns developers by changing the security iconography when a password form is used on a non-secure web page. Again, it’s only a first step:

since we are working on deprecating non-secure HTTP in the long run, you should expect to see more and more explicit indications of when things are not secure

UPDATE (march 15, 2016): Google pushes things forward within its last transparency report #movingtoHTTPS : “By our estimates, the list of sites below accounts for approximately 25% of all website traffic worldwide […] We are open to working with all sites listed below to help them move to HTTPS by the end of 2016.”
So please be aware that previous limitations for their plan to deprecate non-secure HTTP might be gone in a few months only!

Firefox plans to deprecate the non-secure HTTP.

There is progress, even if nothing is really visible for now. As a reminder, Richard Barnes (one of the Mozilla security team leader) have announced in April 2015 the Mozilla plan to make some features unavailable within Firefox when browsing non-secure web pages.  

Chrome and Firefox are working in the same direction, but we don’t have any public signal  from Edge nor Safari.

If you need to use Service Workers, you’ll have no other choice than offering a Secure Context (i.e. using HTTPs). This proposal establishes a list of some existing features that may be concerned by the Secure Contexts specification: in a few months, geolocation feature or full-screen mode may not be available anymore over simple HTTP.

About geolocation, developers may have already detected the intent to deprecate the feature usage over non-secure HTTP, as seen in the Chrome console:

Geolocation Deprecated feature console message

If you’re already using Dareboost to analyze your website, you should not have miss that, as you can access to the console of the web browsers we use to analyze your website, at any time from our reports :

Dareboost report access to the browser console

Google Search: HTTPS as a ranking signal

Since summer of 2014, Google takes into account HTTPs as a positive signal within its ranking algorithm. The search engine specifies it’s a minor signal compare to the importance of other ones you may be familiar with.

In december 2015, Google announced Indexing HTTPS pages by default if they are available and comply with some basic constraints, for instance the absence of Mixed Content (see next paragraph)  

The search engine keeps going with its policy to encourage websites to adopt HTTPs.  You may love this article, reminding a study over more than 1 million of search results, showing a correlation between a good ranking and HTTPs usage, and also listing the main errors you can make in setting up HTTPS.

Mixed Content, a flow affecting 11% of websites in HTTPS

A web page is composed of many resources (images, style sheets…), and even on a HTTPS website, some of them are sometimes loaded using the non-secure version of the protocol. It is therefore referred as Mixed Content.

This problem is frequent, and calls into question the security of exchanges. As stated sooner, it’s now a signal that Google cares about (Indexing HTTPS pages by default).

Studying Mixed Content in 2014, we found that 11% of websites were facing the issue. To learn more, please read our detailed article about it.

Today, among 53 558 websites using HTTPs within HttpArchive data, we counted 6 488 with Mixed Content. It’s about 12%. A significative part of the errors are related to third-party content (ads, Google Font, etc ).

In our article last year, we have introduced a new directive for the CSP (Content Security Policy) header : upgrade-unsecure-requests. It’s now fully supported by  Chrome, Firefox and Opera. It will allow you to request to these web browsers – on a HTTPS website – to try to request every resource over HTTPs, even if the path in the source code is defined as HTTP.

You should not wait anymore for HTTPs

Finally, I can only advice you to consider migrating as soon as possible to HTTPs .

HTTP 2 is growing fast, and you’ll not be able to benefit from the performance optimizations of this new protocol if you’re not using HTTPs.

Do not forget that you can get free certificates from letsencrypt.org, even if the project is still in beta, that still a great solution for numerous websites.   

Our website analysis tool have been advising for 2 years now HTTPs usage. Dareboost automatically detects Mixed Content within your pages, as well as a hundred of other quality errors. Do not wait anymore to benefit from our tool to improve the speed and the quality of your websites!

Test your website for free and discover all our tips!  

3 thoughts on “HTTPs is a requirement for your website

  1. I couldn’t agree more on this subject.
    There was a time when HTTPS was mainly a subject for banking website, then for ecommerce. But considering the sensitivity of credentials within an environment where all devices are connected through untrusted environment, the is not reason to skip https, even for “small” and “non critical” web platforms.
    I’m glad to see that big actors like Google, technologist by nature but also aware of risks, are pushing for more security through their ranking criteria.

  2. Awesome Damien Jubeau,

    I like the way you explained the feature list in detail, however I think it is not important for them who are not dealing with e-commerce related things. Since HTTPS costs much a normal blogger will hardly think of having it. So yes there is small scope for it but this is not the right time.

Comments are closed.