Google Chrome begins shaming 'Not Secure' websites

By Published on .

Credit: Illustration by Tam Nguyen/Ad Age

Some publishers and online retailers may soon find themselves being shamed by the world's largest browser following the recent implementation of a security standard to better protect consumers.

Google said this week that its Chrome browser will start displaying "Not Secure" to the left of URL addresses for websites that haven't adopted the "S" in HTTPS.

The acronym, which stands for "hypertext transfer protocol secure," essentially provides better security when processing payments or sharing personal information. Sites that do not make the change may see a lower ranking in Google search results and perhaps a loss of revenue if cautious consumers navigate away.

"You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers," Chrome warns consumers.

Google gave publishers roughly six months' notice before implementing the consumer warnings, but many are still grappling with making the switch. (Ad Age should be up and running with HTTPS in about a week.)

Jason Jedlinski, head of consumer products at USA Today Network, says the most time-consuming part of adopting HTTPS was taking stock of all the different partners and vendors that appear on the publication's web pages.

"We were coordinating with them to be sure they were ready and could support secure delivery, so we didn't have a 'half-secure' experience," Jedlinski says. "There was a lot of back and forth and coordinating calendars and from there, it was test, test, and test again."

"Rather than being intimidated by the enormity of the effort, be judicious about what has to be on your page," Jedlinski advises publishers. "This presents a good opportunity to clean house and streamline the number of third-party elements that are a part of your website. Use HTTPS as the excuse for those painful 'Are you sure you still need that pixel?' or 'What do we really need three partners for?' conversations."

HTTP$

As more publishers move to put up paywalls, having a "Not Secure" label can potentially harm a company's bottom line.

"We expect the 'Not Secure' label becomes most impactful for subscriptions and e-commerce situations," Jedlinski says, adding that it's also "a sign of authenticity in a climate of 'fake news,' confirming that no one tampered with our content on its way to your browser. But realistically, I don't think the average consumer is thinking that way when reading a news story. For us, benefits are better search rankings, speed or performance."

Google says it indeed uses HTTPS as a ranking signal for search. Back in 2014, the company said it was a "very lightweight signal," but added that "over time, we may decide to strengthen it because we'd like to encourage all website owners" to make the switch to HTTPS. A spokeswoman for the company says, however, that it "is still a very lightweight signal."

As of February, according to Google, 81 of the top 100 sites now use HTTPS, 68 percent of Chrome traffic on Android and Windows operating systems is protected, and 78 percent of Chrome traffic on Chrome and Mac operating systems is covered.

Dennis Buchheim, senior VP and general manager at the IAB Tech Lab, says the trade body has supported HTTPS since 2016, adding that only Chrome sends the "Not Secure" message.

Getting HTTPS for a single website is easy, he says. "There are programs like 'Let's Encrypt' that minimize the barrier to entry. However, most publisher sites include a variety of third party content – advertising, sign-in, data partnerships, and so on."

"Moving the main domain to HTTPS means that any of these third parties that haven't transitioned to HTTPS will not be called, potentially impacting business relationships," Buchheim says.

Most Popular