Google Confirms Security Warnings For HTTP Forms

Webmasters operating non-secure sites have woken up this morning to concerning warning messages in Google Search Console (formerly Webmaster Tools), advising that from October 2017, users filling in forms on their sites will be warned that their data is not secure. The message reads as follows:

To owner of http://www.example.com
Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.

http://www.example.com/url-one
http://www.example.com/url-two
http://www.example.com/url-three
http://www.example.com/url-four

The new warning is part of a long term plan to mark all pages served over HTTP as ‘not secure’.

This was originally announced on Google’s Chromium blog back in April this year, but warnings have only just started rolling out to webmasters via Google Search Console.

Who is at risk and what may the impact be?
This could be a big problem for any non-secure website (using the http:// protocol) reliant on form fills to provide their service. Any site requesting an email address for instance – which is just about every e-commerce or lead generation site – may see this warning trigger for users. Naturally, this is likely to have an impact on conversion rate as a warning that their data is not secure is likely to be extremely off-putting to prospective customers.

Why Are Google Making This Move?

Google places a huge amount of importance on data security and have even built it into their ranking algorithms, announcing in 2014 that they would be giving secure sites a small boost in search results. As owners of the most widely used browser, Google obviously feel they have a duty to ensure that their users are informed of any data security risks and assure their information is kept safe.

What does the future look like for non-secure sites?
As Google says in their message, ‘The new warning is part of a long term plan to mark all pages served over HTTP as ‘not secure’. We feel that there is a good chance these warnings could extend to search results pages themselves in the near future. Google has, in the past, provided mobile users with a notification in search results that sites are not mobile friendly. Similarly, they could do the same here to inform users before they even make the initial click that they will be opening a non-secure site.

This, of course, would be hugely detrimental to CTR from organic results, diminishing ever-important organic visitor volumes and subsequently could harm organic rankings.

What Should I Do?

All indications show that this march towards a fully secure web is only going to continue, so we would strongly recommend that now is as good a time as any for all non-secure sites to move over to the https protocol – ideally before October when the warnings will begin to show in Google Chrome. There are a number of important considerations site owners need to take when migrating from HTTP to HTTPS. If carried out incorrectly, the migration can be extremely detrimental to precious organic rankings.