One of the problems we have found in dealing with security over the years is that you have a lot of people managing websites that believe they have a much better understanding of things than they do. Security companies make this situation worse by spreading misleading and outright false information to market their products and services.
One area where we frequently see issues, not just when it comes to security, but more generally as well, is people managing websites believing that upgrading software on a website will resolve some issue they are having. What seems like it should give them some pause, but apparently doesn’t, is that they don’t themselves even have the capability to handle the upgrade, but believe they know what the impact of that would be.
What we have found repeatedly in that situation is that they will contact someone like us about having an upgrade done and not mention that their reason for getting the upgrade is the assumption that it will resolve that issue. In some cases they only bring it up after the upgrade has been fully completed and the issue still exists.
Due to the increasing frequency we run into this type of situation we recently changed how we do things, so now in the contact form for upgrade services we specifically ask why there is interest in having an upgrade done.
A recent example of that showed why that is important and brought across misleading claims from a company named Atlantic BT about the changing handling of non-HTTPs website in Google’s Chrome web browser.
The reason given that this person was interested in having a fairly significant upgrade done was that their website was going to be “useless” in a few weeks due to a new Google security regulation. We really didn’t know what they were talking about and for good reason, it turned out the reality was very different.
What is happening is that in July with the release of Chrome 68, Google will start labeling non-HTTPs web pages as “not secure”. Here are the before and after according to Google:
That wouldn’t make a website useless, though it might make an eCommerce website, like the one we were contacted about, less appealing.
What was more important was that upgrading the software on the website wouldn’t have an impact on that since HTTPS is handled by the server, not the software running on the website. As long the software on the website allows you to configure things so that addresses on the website start “https” instead of “http” there is no need for an upgrade to implement HTTPS.
So where did the idea that the website would be useless come from? It turned that was due to a blog post on Atlantic BT’s website. The intent of the post seems to be scare people in to contacting this company for security services.
The name of the post as listed in the URL for it, https://www.atlanticbt.com/blog/google-chrome-warn-users-non-secure-websites/, seems neutral. The visible title isn’t, “Non-Secure Websites, Beware! Google is After You”.
In the first paragraph they state:
This could create many challenges for web owners and designers. Traffic and revenue losses, as well as drops in organic search rankings, could all be consequences.
In second paragraph they make a claim that there is a requirement to use HTTPS, despite there not being one:
By July, Google will require ALL websites to have their entire domain set up as HTTPS.
In third paragraph they again try to push the negative impact, without quantifying how much, if any, they are claiming there would be:
This means that Google’s policy update will have major implications on your site’s web performance.
In the fourth paragraph they can’t even get to a benefit of HTTPS without playing up fear first:
Before stressing over the potential impact of this update, it’s important to recognize the countless benefits of establishing a secure connection via TLS.
The final section of the post, titled “What are the implications of Google’s update?”, starts with more unquantified claims:
Google is increasingly using security as an algorithmic ranking factor within their Search Engine Results Page (SERP). In 2014, Google publicly announced that websites would receive a boost in rankings if they switch from HTTP to HTTPS. And in-line with that policy, sites that remained HTTP would be at risk of losing rankings. This is a serious threat to the acquisition of organic traffic on HTTP websites.
So people should be doing something now because there was change four years ago, which Atlantic BT can’t actually cite say percentage impact of (as far as we are aware there wasn’t much impact on rankings due to that change).
Next, they finally mentioned a quantified stat:
There is also an added risk of dropping conversion rates and losing customers. Studies show that 85% of web users would choose not to make purchases from a website if it was labeled as “non-secure”.
If you follow the link though it doesn’t make the specific claim they claim it does and there are a number of other issues. What is claimed on the link page is that a survey found that:
In fact, 85% of web users state they wouldn’t buy through a website where they weren’t certain their data was being transferred securely.
Among the issues that we can think of off the top of our heads:
- That isn’t a study.
- The question posed is different.
- People stating they would do something does not necessarily reflect what they really would do.
- The survey was done by a company that sells SSL certificates, which makes the result somewhat suspect. Fuller details that could be used to better access the veracity of the survey, like what was the wording of the question, were not provided.
No other quantified statistics were provided in the post.
The final paragraph of the post seems to be what all the rest was leading to:
If you’re concerned about the potential impact of this upcoming Chrome update, or the security of your site, contact the experts at Atlantic BT.
Based on what we saw in that post it would seem like you would be best steering clear of that company.