Chrome’s New SSL Policy + Pardot iFrames: Are We in Trouble?

Chrome’s New SSL Policy + Pardot iFrames: Are We in Trouble?

min. reading

In the Success Community, Brittany R. reached out to me and asked if I was planning to blog about secure Pardot URLs and how this relates to the Chrome browser update.

Not going to lie, I knew zero things about this.  So like a good admin does, I got to Googling… and what I found out has me mildly concerned.

Wait, what now?

So here’s the scoop. Google recently notified web admins that starting in October (how is it October already?) HTTP web pages with forms will be marked as “not secure” when the user enters data. It will also show this alert continuously if the user is viewing the site in incognito mode.

So when someone starts filling out a Pardot form (or any form, for that matter) on your site, they will see an alert that what they’re doing is “not secure.”  Like so:

Are you thinking what I’m thinking? No bueno for conversions.

Okay, but what’s the difference between HTTP and HTTPS again?

The short and non-technical story: HTTPS adds an extra layer of security. Sites that use HTTPS have an “SSL Certificate” that encodes their data as it passes from their server to the user’s browser.  

Some extra vocab for you: the security during the transfer is called the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

You can get SSL Certificates from a number of providers and should check with your hosting company on the specific steps to get this in place for your site.

Why Google, WHY?

Google is just looking out for the browsing public.  Since January, when you visit HTTPS sites in Chrome, you see a little green padlock that indicates it is “secure” (as you may or may not have noticed).  For example:
Secure Pardot Link

But studies show that the general population doesn’t see the omission of this icon as a warning.  Actually, they don’t think that much about security at all unprompted.  

So this is Google’s effort to making its browser safer and making us all more #woke digital citizens.

What Pardot content will be impacted?

The good news: Pardot already does support HTTPS in its content and tracking URLs.  Just make sure you add the “s” in the https://go.pardot.com links.

The bad news: Pardot does not support HTTPS in vanity domains yet.  Since Pardot only has a security certificate for the pardot.com domain, your go.mydomain.com links will not be HTTP secure. Update: SSL for Vanity Domains Now Available

Regardless of whether you use HTTPS Pardot links though, if your site does not have an SSL certificate (i.e. you’re still HTTP) your users will see this warning message.

What should Pardot admins do about this?

It’s tempting to ignore this. Your website will continue working fine.

But this is one of many steps Google will be taking to beef up Chrome security. An estimated 50% of Internet users use Google Chrome as their browser, so it’s a gamble to hope that your target audience isn’t going to be turned off by this “not secure” warning.

I’d recommend doing 5 things to stay ahead of this:

1. The obvious one… get an SSL certificate.

That’s what Google wants.  More on how to do that here.

The default for native Pardot forms when you click “View HTML code” is HTTP — so definitely take a look at these and update where ever you have them placed on your site.

More on this from Pardot here.

3. Look for other “mixed content” that can cause security issues

Are you iFraming other HTTP content, like YouTube videos or social sharing widgets?  If this is on an HTTPS page, you may still have the “not secure” warning served.  

Here’s a great article on how to identify where this mixed content might live so that you can get it updated.

4. Monitor your conversion rates like a hawk

We don’t yet have data on how this will impact user behavior, so start gathering your own.  Benchmark current landing page conversion rates, and take a look in 30 days to see if it’s changed.  

If you haven’t done 1-3 above and you notice a dip… well, you know what to do.

5. Enroll in the pilot for SSL for Vanity URLs

Pardot is piloting SSL for vanity URLs (i.e. those go.mydomain.com ones) in the Winter release. Contact your AE if you want to give this a whirl.

What other questions do you have?  

Thanks again Brittany R. for suggesting this topic!  What other questions do you have on HTTPS / SSL?  Any other burning questions we can dive into here?

Let me know if the comments!

Subscribe to The Spot

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.

Upcoming Salesforce Events

Salesforce Training Courses

Categories

Top 5 Recent Posts

  • Andrea Tarrell is the CEO & Founder of Sercante, as well as a 12X certified Salesforce MVP and Marketing Champion. Andrea caught the Salesforce bug at Dreamforce 2011 and hasn’t looked back since. She’s worked for consultancies, agencies, and client-side marketing teams over her career and is passionate about making marketing and sales teams successful with their tech stacks. Andrea lives in Atlanta with her husband Buck and her daughter, Arla. When she’s not working, she’s most likely playing with her German Shepherd Murphy, starting a new hobby that she will engage in exactly one time, or making homemade gin.

Leave Your Comment

Related Articles

Bot Single Post