Starting in October, Google Chrome users will see a “Not secure” warning when entering data on any HTTP-only page that contains a form or text-field.
Google first announced HTTPS as a ranking factor in 2014. Back then, it was just a minor signal, but Google noted in its announcement that it may increase the weight of the signal over time. Not only has Google stuck to its commitment to make HTTPS migration a priority, its upcoming changes will impact the overall user experience for non-secure sites.
Any time a user enters data on a page with a text-accepting form field—a login page, gated content download form, demo request form, or newsletter signup field—the URL for the page will be prefaced with a “Not secure” warning in Chrome’s omnibox:
This has been the default browser behavior for password and credit card fields since January, but the new change applies the warning to all pages that accept data. Additionally, every page of an HTTP-only site will display as “Not secure” when users are browsing in Incognito mode.
This newest behavior could deter users from entering data on a website and may diminish brand credibility with new visitors. For novice users, the “Not secure” label may be seen as a warning of a potential phishing attempt.
And while this change isn’t directly related to SEO and rankings, it could still have negative impacts. If site visitors leave without performing actions because of the warning, it could harm engagement metrics, signaling to Google that your site/content no longer satisfies user intent. In turn, rankings may decline.
If you haven’t yet migrated to HTTPS and are concerned about how this change may impact the user experience, the best thing to do is begin the process of migrating to HTTPS.
On a large site, migration is no small feat, but it’s the best way to prevent pages from being labeled as “Not secure.” Google intends to eventually label every page of HTTP-only sites—whether they collect information or not—as “Not secure.”
There are other possible options—such as installing an SSL certificate on a subdomain and moving all form pages to that subdomain—but these options are only short-term fixes, may damage SEO over time, and will increase the complexity of complete migration.
Google’s push to encourage websites to transition to HTTPs is an attempt to make the internet a safer place. Delaying migration not only has potential impacts on SEO and the user experience, it also creates a window for the data collected on websites to be exploited by malicious intruders.
A good first step in preparing for this change is identifying which site pages contain data-collecting forms. With help from a developer, you may be able to install a security certificate and use HTTPS only on those pages as a short-term solution.
But keep in mind that this newest change is just one more step toward Google’s goal of labeling all HTTP pages as “Not secure.” Complete migration may be time-consuming and costly, but it’s inevitable.