4

I would like to know if it is necessary, to avoid Google penalties and chrome warnings, by enabled HTTPS on a website that does not have a login page or a form.

In some cases the website can have a search field form that is needed just to enter a search term.

1stthomas
  • 107
  • 1
  • 7
al404IT
  • 177
  • 5
  • 1
    A search box is text input. – Stephen Ostermiller Nov 16 '17 at 12:54
  • 3
    https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html says "Eventually, we plan to show the 'Not secure' warning for all HTTP pages", so even if your HTTP site doesn't show warning messages now, it will eventually. – Stephen Ostermiller Nov 16 '17 at 12:58
  • 1
    I think it's an overkill to use HTTPS for a site that doesn't deal with personal information. And besides, HTTPS takes a bit longer to load than HTTP because of the extra handshake to create the secure connection. – Mike -- No longer here Nov 17 '17 at 05:57
  • 1
    I think it's overkill to put a lock on a house that doesn't contain jewelery. And besides, locks take longer to open than knobs because of the extra turn required for the key. There are other important reasons for website encryption besides personal information. Governments and ISPs shouldn't be able to log every URL that gets requested over a monitored network. Nobody should be able to insert ads into pages without the user and the site knowing it. Webmasters should be able to know that their content isn't altered before it reaches users. – Stephen Ostermiller Nov 17 '17 at 19:08
  • Related: Force using SSL on site now? – unor Nov 23 '17 at 00:19
  • @StephenOstermiller Sure. But note that there is always a chance that "everybody must go TLS to protect privacy" is actually a ploy by government agencies which coerced or fooled Google, and that there is another one (or few) Heartbleed-alike bugs (and design problems) embedded in the (extremely complex) protocols which the NSA will use to do way more extensive spying than by capturing plaintext HTTP. And verifying source code of a simple HTTP web server (or writing a new one) is actually quite simple task, but verifying compliant TLS library is most definitely not. – Matija Nalis Apr 16 '18 at 22:53

2 Answers2

1

Google just announced that ALL HTTP sites will be marked as insecure by Chrome starting in July 2018 with Chrome 68. Chrome will start showing warnings on your site unless it uses HTTPS, regardless of whether you have any form or ask users to input data.

Even today your HTTP site will be marked as insecure if users can type data into it (even into a search box). All HTTP sites are marked as insecure by Chrome in incognito mode.

There is also a Google search engine ranking factor tied so HTTPS. Google has said they give a very slight advantage to HTTPS sites over HTTP sites in the search results. The effect is so small, that migrating to HTTPS does not usually cause a ranking bump. In fact, in many cases there are temporary ranking drops as Google digests the redirects. I recommend introducing HTTPS and running it in parallel with HTTP initially. Set the canonical URLs to point to HTTPS during this period.

Stephen Ostermiller
  • 98,758
  • 18
  • 137
  • 361
0

Since your site does not collect sensitive information Chrome will not display a warning about an unsecured connection.

As far as SEO goes a secured site tends ranks better than non-secured sites.

Consider securing your site anyways you can use Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

gabehou
  • 552
  • 2
  • 15
  • 1
    I like your advice, but your first sentence is wrong. https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html says "Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites." That search box will cause a warning because users can type in it. – Stephen Ostermiller Nov 17 '17 at 19:10