Starting in January 2020 (this month), Google Chrome will start warning users when they visit websites that are not using TLS 1.2 or higher on their secure website. This is a change in Google’s policy about SSL secure HTTPs websites, as they previously have said that it did not matter which type of SSL certificate that a website uses as long as it was HTTPs. We are now learning that it does matter, and the server and the SSL certificate must support at least TLS 1.2 or higher.
In messages being sent to website owners whose sites do not support TLS 1.2 or higher, Google says that they will show a “not secure warning for all sites starting in January 2020. In March 2020, Chrome version 81 will show a full page warning message for these sites.
Google goes on to say how the website owner can prevent these warning messages:
“To prevent warnings from appearing when Chrome users visit your site, serve your site over a modern version of TLS (TLS 1.2 or higher). Depending on your server software (such as Apache or nginx), this may be a configuration change or a software update. These changes do not require getting a new certificate.”
If your website uses Cloudflare for SSL (many sites use Cloudflare’s free SSL certificate option), you can enable TLS 1.2 in the SSL settings in Cloudflare. You have the option to have it use a version older than TLS 1.2, but I recommend setting it to TLS 1.2 or higher at this point:
Apparently Google thinks that enabling TLS 1.2 or higher on a site will help protect users’ data, so they’re making these recommendations now. No official word yet as to whether or not using TLS 1.2 or lower will have an effect on search engine rankings–but it certainly will be a bad user experience if users got to your site and they get a warning about your site not being secure. I’m sure for ecommerce sites it will have an effect on sales.
If you’d like to check your TLS version to make sure your site is compliant, there are various SSL certificate checkers out there. However, many don’t show you the TLS version. The SSLLabs.com checker does tell you the version: https://www.ssllabs.com/ssltest/analyze.html. In Firefox, you can see the certificate information about clicking on the actual lock symbol in the browser, but it won’t show you the version of TLS being used.
H/T goes out to Barry Adams for pointing out this notice. My sites typically use TLS 1.2 or higher already, so I haven’t received any of these warning messages from Google.
