I noticed earlier this week that Google have started ramping up the warning messages they display on websites utilising SSL that they don’t deem ‘fully-secure’. I’m now seeing this graphic in the address bar of the latest Google Chrome browser when visiting certain websites on HTTPS:
Google have been warning users visiting non-secure sites via their Chrome browser for a while now, however the fact they’re now displaying a bright red strikethrough in such an eye catching position on websites who are already using HTTPS will surely cause visitors to lose trust in the website they’re visiting. Indeed, my client’s website (the example above) has seen a huge dip in conversion rate over the past week, when we first noticed the red strikethrough graphic appearing.
This latest development shouldn’t come as a surprise though, as Google have been encouraging all webmasters to move their sites to HTTPS over the past few months, even going as far as suggesting websites that utilise HTTPS will get a slight ranking boost in the search results.
I’m seeing this on my website – how do I solve the issue?
When you click on the red HTTPS graphic to try and diagnose the issue, Google provide very little information. I’ve seen this on a few website’s now, and the message usually provided is ‘identity not verified’:
After carrying out some research around common ‘identity not verified’ causes in Google’s Chrome browser, I found that Google Chrome have started phasing out SHA-1
(as used in certificate signatures for HTTPS). Google announced back in November 2014 that HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s browser – huge news, right!? Well, I have to admit I can’t recall noticing the original announcement, however this goes some way to explaining the red strikethrough icons that have just this week started appearing in their Chrome browser.
With the SHA-1 bombshell in mind, I thought I’d better check the details of the website in question:
Bingo! Notice that the certificate expires May 2017 (after January 2017) and that it is signed and hashed with SHA-1.SHA-1 (secure hash algorithm) has been used for years to sign and hash various objects, including SSL certificates. In 2005 it was determined to be insecure. As a result, Microsoft and Mozilla have previously announced plans to stop supporting SHA-1 certificates by 2017
. Google has announced that it will do the same
, seemingly much quicker, which is exactly what’s happened here.If you want to check whether your website is using SHA-1, click on the HTTPS section of the address bar in your browser window, click on ‘certificate information’, and navigate to details. If you notice that your website is having the same issues as reported in this case, you’ll need to ask your web developer to update your certificate to SHA-2.
Now, I’m sure Google could have waited a while longer before turning on this warning. In any case, it’s highlighted the growing importance of website security on site performance, and I’d suggest that after updating to SHA-2 you may well notice a slight rankings boost (whilst avoiding losing the trust of the visitors landing on your website).