Certageddon is here. Are you ready?
SSL certificates are changing. And you might need to take action before the 17th April.
Previously, you only needed an SSL certificate for the areas of your site that you needed to be secure – like password-protected log in areas of payment pages.
But in 2014, Google announced that having a site using the secure HTTPS protocol would be a ranking signal – something that search engines consider to calculate their rankings. They also suggested it would become a stronger factor in their algorithm, meaning that non-secure sites may find it more challenging to out-rank secure sites.
There was nothing saying you had to be on a secure domain. But seeing as 81 of the top 100 sites on the web are using HTTPS as default, Google has made no secret that it’s a consideration in their ranking algorithms.
Now, Google are taking things up a notch. As of July this year, any sites that aren’t on HTTPS will be marked ‘not secure’ in a Chrome web browser – which might harm click-through rates from SERPs.
That’s not all though.
Google and Mozilla have announced that they no longer trust SSLs issued by Symantec (and the brand family – Symantec, Thawte, GEOTrust, Rapid SSL).
Because Symantec was letting their network issue certs without enough oversight, including one to google.com. Google then published a timeline (which can be found here) to fully distrust Symantec certificates.
So, what does that mean for your website?
Well, if you’re not using HTTPS yet, or you have a certificate issued by Symantec, you might have some work to do…
Our Head of Organic Search, Carl Brooks, is here to answer any questions you might have on Certageddon:
I have a Symantec SSL certificate – what can I do?
This depends on the type of certificate you have, there are a couple of things to consider:
For certificates issued before the 1st June 2016, Google and Mozilla Firefox won’t trust it after the 15th of March 2018.
- If the certificate expires before March 15, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after March 15, 2018, but before September 13, 2018, you can re-issue this certificate any time before March 15, 2018.
- If the certificate expires after September 13, 2018, you’ll need to re-issue the certificate before March 15, 2018.
For certificates issued after the 1st of June 2016, Google Chrome browser won’t trust this certificate after September 13, 2018.
- If the certificate expires before September 13, 2018, you don’t need to do anything. The certificate will continue to be trusted by Chrome until it expires.
- If the certificate expires after September 13, 2018, you’ll need to re-issue the certificate before September 13, 2018.
- If you purchased a certificate after December 1, 2017, the Chrome browser will trust this certificate. You won’t need to re-issue.
My website is already on https – how do I know who issued the SSL certificate?
You should contact your developers and SSL providers to double-check and find out who issued your site’s certificate. Or find out for yourself by following these steps:
- Navigate to your site in Chrome and click on the secure symbol in the address bar where you’ll see an option for “certificates”.
- Click on the valid link directly below this to see a pop-up box with the certificate details in it.
- You’ll find the issued details in the general tab. Just double check that Symantec (or any of their brands) aren’t involved by clicking on the certification path tab to see the full certification path.
I haven’t got an https site yet – how do I get one?
If you’re not on an https site yet, you’ll need to do a couple of things:
- Make sure you get yourself a non-SymantecSSL certificate as soon as possible. You’ll need your web developers to implement this for you and get your current site redirected to https.
- You’ll also need to get your marketing team, Search team and/or SEO agency to set up https versions of your site for the Google search console and Bingwebmaster tools as well as amending your Analytics set-up. Migrating from http to https will stop data coming through into the search console as it did before, so you should make sure this is all set-up properly to avoid losing important metrics.
Got more questions about SSL and what it means for you? Get in touch with us to find out more.