Google Chrome Security Changes are Coming (Late 2017)

Version 9

    Overview

     

    Google has announced that they will be making a change in an upcoming version of the Google Chrome Browser that modifies how it marks non-secured (HTTP) pages. The new behaviour displays a grey text “Not Secure” message in the address bar on pages that include a form of any type so users are aware the page is not SSL encrypted. While Google’s change broadly impacts all websites/pages, Eloqua customers are warned that a “Not Secure” message will appear in the address bar of Eloqua landing pages containing forms that are not already configured as secure pages.

     

    http-search.gif

     

    It is imperative to note that this is a cosmetic change by Google Chrome, and does not in any way impact how the Eloqua page is loaded or any activity on the page. Form submissions will continue to function as normal.

     

    This notice will outline how this change may impact your Eloqua landing pages and what you can do to address this.

     

    Note: If you are already using Secure and Authenticated microsites within Eloqua, or externally hosted pages that are already secured with an SSL certificate, any pages hosted under these configurations are not impacted by the Google Chrome changes at all. If you have additional Basic microsites set up, pages hosted under that configuration may be affected if they contain forms.

     

     

    What's changing?

     

    If you’re not already using Secure and Authenticated microsites within Eloqua, or externally hosted pages that are already secured with an SSL certificate, then Google’s planned changes mean that when a visitor hits any of your Eloqua landing pages that have a form on it, they will see a “Not Secure” warning from Chrome in the address bar.

     

    In responding to the Google changes, you have the following three options to consider:

    1. Use Secure Microsites in Eloqua, rather than standard (Basic) Microsites, OR
    2. Do Nothing. If you chose not to update your Basic Microsite configuration to a Secure Microsite, you can rest assured that form submissions will continue as normal as this change is being made by Google and does not change/impact how pages load or forms are processed within Eloqua. That said, you may want to monitor your own form conversion rates for unexpected declines that may be a result of the “Non-Secure” warning. OR
    3. A combination of options 1 and 2 on your own schedule. Eloqua allows you to host multiple microsite configurations at the same time in a single instance. This allows you to make a decision per each microsite that suits the business needs (e.g. high traffic high visibility pages vs. older pages that have low volume traffic).

     

    Secure Microsites in Eloqua: While generally used by organizations that handle extra sensitive information during form data collection, the use of Secured Microsites in Eloqua, can also stop visitors from seeing a “Non-Secure” warning in Google Chrome when they visit your landing pages. Google has indicated that in the future it will start giving HTTPS pages priority in search rankings, so there are potentially additional benefits that can come from this approach.

     

    More information on Secure Microsites can be found here.

     

    Next Steps

     

    1. Contact your account management team for information about adding Secure Microsites to your contract details. More information on Secure Microsites can be found here.
    2. If you would like to convert your microsite to a Secured Microsite, please follow the steps outlined here:
    3. If you are hosting forms on external pages not managed by Eloqua, contact your IT team and request your pages to be secured with an SSL certificate.

     

    For all of the steps above, ensure that your pages also correct any embedded HTTP links to HTTPS to avoid “mixed content warnings.”

     

    Note: “Mixed Content Warnings” are only cautions and don’t change the page in anyway. They just mean that there’s a combination of secure links and unsecure content on the page.

     

    Timeline

     

    Google has indicated the “Not Secure” warning will arrive within the Google Chrome 62 Edition and is estimated to arrive Mid-October (specific dates may vary across different OS platforms).

     

    Additional Resources

     

    FAQs

     

    Q: Why is Chrome introducing this change?

    A: According to Google, this change is intended to “improve how Chrome communicates the connection security of HTTP pages.”

     

    Q: Will my form submissions be blocked if the page is marked “Not Secure?”

    A: No. All form submissions are expected to behave as normal even when a page is marked as “Not Secure” on Chrome 62.

     

    Q: What do I need to do to secure my pages?

    A: Simply follow the steps outlined above to kick-off the process.

     

    Q: How long does the process take once I submit my request?

    A: Our normal turn-around time is around two weeks due to the fact that this involves a number of manual steps that require communication between you and our teams. Note that as a result of this change, there may be an additional delay to initiate your request.

     

    Q: Why can’t Eloqua just convert my Microsite to Secured?

    A: Currently it is not possible to convert a Microsite to Secured while pages are actively hosted under that microsite configuration.

     

    Q: What’s the best path to updating an individual page (or collection of pages)?

    A: Follow the steps outlined in the “Next Steps” section (2b).

     

    Q: Can we start updating our pages before the SSL certificate is put in place?

    A: Yes, you can begin modifying landing pages (e.g. updating external links to HTTPS) immediately and don’t need to wait until after the SSL cert is applied.

     

    Q: What happens with branded links?

    A: If you have branded links configured note that Eloqua does not currently support HTTPS access for branded images. Be sure to take this into account before making a decision on how to proceed.

     

    Q: What type of certificates are supported and/or recommended?

    A: We support EV, SAN and Wildcard certificates. We do not have a specific recommendation as the certificate required will vary greatly based on how you have configured your microsites.

     

    Q: Can I request a specific date to have my SSL certificate added?

    A: We will make a best effort to support a synchronized schedule, but please keep in mind this depends on number and volume of concurrent requests and other work the team may need to do - if this is important, it is important to provide as much advance notice as possible.

     

    Q: How are SSL certificates renewed?

    A: Follow the steps outlined here.

     

    Q: What is a “Mixed Content Warning” and what does it mean?

    A: Chrome and other browsers have granular feedback states in the URL address bar to provide users with information about the page they are browsing. Prior to Chrome 46, if your page was correctly secured with an SSL certificate, but included HTTP links on the same, Google would display a yellow warning icon (this was referred to as a Mixed Content Warnign). Since the launch of Chrome 46, they have dropped this warning and now simply mark the page as “HTTPS with minor errors.” This acknowledges the page itself is secure, but there may be minor errors on the page (such as an HTTP link). You can read more about this in Google’s blog post.