Earlier this year we all saw the first of a series of planned changes to how Google’s Chrome browser will display HTTP web pages without TLS/SSL encryption. To move towards a safer web, Chrome began displaying a “not secure” warning in the address bar of websites that collect passwords or credit card information. Now, the second step of Chrome’s changes is upon us. And this one is expected to have a much broader effect.
In late October, Google released version 62 of Chrome browser with two significant updates. First, Chrome began labeling all non-HTTPS pages in incognito mode as “not secure;” and, most importantly, Chrome also began adding the “not secure” warning in the address bar when visitors start typing any information on HTTP pages.
Here’s what this now looks like:
According to Google, “Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “not secure” warning when users type data into HTTP sites.” Not surprisingly, this change has been getting a lot more attention, and site owners have been rapidly adding certificates for TLS/SSL to secure their pages from HTTP to HTTPS.
In addition to this, we know that a third step is coming—we just don’t know when. At some point, Google has said that Chrome browser will add the “not secure” warning for any requests to HTTP pages. That’s huge! Google is making it clear that a safer web is one where unencrypted web connections are discouraged. That means we’re moving towards a future where HTTPS page encryption is going to be a standard requirement for web pages.
In this blog, I’ll share some web security fundamentals and give you some ideas on how you can plan to avoid the “not secure” warning coming with Chrome browser changes.
Let’s Start With the Basics
Before we dive right into what you need to do, let’s start with some basics. I’m going to keep it at a pretty high level in this post, but there’s a ton of information online—even some Web Security Fundamentals from Google.
What is TLS/SSL?
Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL) are security protocols that encrypt the exchange of data between web servers and clients. This data encryption is vital to help prevent malicious parties from sniffing or eavesdropping into data as it traverses the web—which is especially important when it’s personal data, like passwords, credit card numbers, or other personally identifiable information that is shared. To secure those communications while in transit, companies purchase and apply TLS/SSL certificates, enforcing that requests to the site are made via HTTPS (HyperText Transfer Protocol Secure) instead of HTTP (HyperText Transfer Protocol); essentially encrypting the data exchange and providing authentication to ensure that communication is happening only between the intended parties.
Why is it important?
With unsecured sites, i.e., those serving up HTTP pages, it’s possible for hackers or other parties to see the information shared between you and the site you’re visiting. While this may seem farfetched or like the plot of an episode of Mr. Robot, it does happen! That’s why Chrome is making moves to encourage HTTPS—a move that will likely make HTTPS the new de facto web standard—for data security, increased search ranking (yes, page security is a ranking factor), and ultimately better conversion rates.
What Should I Be Doing to Secure My Pages?
If you believe as I do that HTTPS is going to be the new standard, then I bet you’re thinking about what you actually need to do to ensure your corporate web pages and your Marketo landing pages are secured. The three steps below are meant to get you started on the right path.
STEP 1: Check if your Corporate Domain is Secure
While the title of this step sounds like you need to have mad technical skills—you really don’t. All you need to do is to type your corporate website URL into any browser. For me, it’s opening up Chrome and typing, www.marketo.com. You’re looking to see if the address bar says HTTP: or HTTPS: and/or if using Chrome, you’re looking for the green lock and word “secure” when your page loads. If you see HTTPS, your corporate site is secure. It’s that easy.
If your corporate site is not secured, you may want to do a quick audit of your pages. You’ll want to note the address of any page that has a form or collects information. With the recent update to Chrome 62, it’s those HTTP pages that collect data that will display the “not secure” warning in the address bar. This list will also give you a starting point for the discussion you’ll need to have with your IT and web teams in the next step.
STEP 2: Meet with your IT and Web Team
It’s now time to enlist your experts. Schedule a time to meet with whoever is responsible for your corporate website. You’ll want to be sure they know of the changes to Chrome browser, and you’ll want to know of any plans that may already be in place to secure your corporate pages. The good news is that they may already be aware of the changes to Chrome. In mid-August, Google emailed notifications via Google Search Console to site owners who have HTTP pages with data entry. This notification explained that these pages will be marked as “not secure” in Chrome 62, and it even provided a list of affected page URLs (SearchEngine Land did a nice write up on this communication if you want to learn more). If your webmaster received this message, that would likely make a much smoother conversation with them.
On the other hand, if your IT or web team is unaware of the recent Chrome browser changes and the impact on collecting data from your pages on your site, below is a list of links that should help brief them before you meet.
To have a productive meeting with your IT or web team, here are some topics we recommend that you cover:
- What is your company’s policy for securing web pages?
- Who is your point of contact for web projects like creating, updating, securing pages?
- Does your company have any projects or initiatives already in progress to secure pages?
- Who’s responsible for purchasing TLS/SSL certificates to secure pages?
- How are certificate renewals handled?
- Are there any steps that marketing needs to take when creating new pages on your corporate site?
- When adding new technologies to your technology stack, is there an audit to determine if pages/content/data needs to be hosted or served securely.
- What other platforms might serve your forms, landing pages, images, or content?
Be sure to really dig into that last item on the list. While your corporate website serves pages from your servers that your IT/web teams can secure, many third-party platforms may also serve your pages from their servers. In fact, this is so important that it deserves to be its own step, leading us to Step 3.
STEP 3: Consider 3rd Party Platforms That Serve Your Pages
So far, you’ve checked your corporate website to see if it’s serving up secure pages, and you’ve met up with your IT/web teams to be sure they know that the recent changes to Chrome may require avoiding “not secure” warnings. Now, it’s time to consider all the 3rd party platforms you’ve got integrated with your technology stack that might host or serve pages, content, or assets. You may need to work with those vendors to secure the pages they serve. Third party vendors could include your marketing automation tool, email service provider, or content management system.
While the changes to Chrome will affect all landing pages across the web, when it comes to your Marketo landing pages, you have two options. The first is to do nothing. Your landing pages and forms will continue to be served over HTTP and will work as before. The only difference will be the “not secure” notification that Chrome will add in the browser’s address bar when a visitor enters data on your page. The second option is to add Secured Domains for Landing Pages to your Marketo subscription. This will create a secure landing pages server on our side to serve your landing page requests via HTTPS.
Marketo Secured Domains for Landing Pages
Marketo’s Secured Domains for Landing Pages secures any and all landing page domains defined in your instance to serve via HTTPS. Here’s a brief overview of the process:
On the Marketo side, we’ll install a new server endpoint and install the necessary security certificate(s) to create a secured landing page server for your instance. This will allow us to serve page requests for all your landing page URLs over HTTPS. In the past, our secured services required you to provide a TLS/SSL certificate and private key to Marketo, but we now we manage this process for you—as well as certificate renewals—making it easier than ever to secure your pages.
On your side, you’ll need to review and update any hardcoded links on your landing pages and unapproved/reapprove your landing pages before the cutover from HTTP to HTTPS. Once you’re ready, we’ll coordinate a time for the cutover, and enable your instance for secured landing pages. From that point forward, your pages will be served via HTTPS.
Moving your pages to HTTPS—whether it’s your corporate pages, your Marketo landing pages or other pages serving your content—helps to ensure that you’re providing critical security and data integrity to help protect your visitors’ personal information.
Want to learn more about Secured Domains for Landing Pages? Please see our Marketing Nation Community post on Secured Domains for Landing Pages, or contact your Marketo customer success representative.
How are your IT or web teams addressing the Chrome browser changes? Let us know if you have tips to share for adapting to these changes!