Chrome’s New SSL Policy + Pardot iFrames: Are We in Trouble?

In the Success Community, Brittany R. reached out to me and asked if I was planning to blog about secure Pardot URLs and how this relates to the Chrome browser update.

Not going to lie, I knew zero things about this.  So like a good admin does, I got to Googling… and what I found out has me mildly concerned.

Wait, what now?

So here’s the scoop. Google recently notified web admins that starting in October (how is it October already?) HTTP web pages with forms will be marked as “not secure” when the user enters data. It will also show this alert continuously if the user is viewing the site in incognito mode.

So when someone starts filling out a Pardot form (or any form, for that matter) on your site, they will see an alert that what they’re doing is “not secure.”  Like so:

Are you thinking what I’m thinking? No bueno for conversions.

Okay, but what’s the difference between HTTP and HTTPS again?

The short and non-technical story: HTTPS adds an extra layer of security. Sites that use HTTPS have an “SSL Certificate” that encodes their data as it passes from their server to the user’s browser.  

Some extra vocab for you: the security during the transfer is called the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

You can get SSL Certificates from a number of providers and should check with your hosting company on the specific steps to get this in place for your site.

Why Google, WHY?

Google is just looking out for the browsing public.  Since January, when you visit HTTPS sites in Chrome, you see a little green padlock that indicates it is “secure” (as you may or may not have noticed).  For example:
Secure Pardot Link

But studies show that the general population doesn’t see the omission of this icon as a warning.  Actually, they don’t think that much about security at all unprompted.  

So this is Google’s effort to making its browser safer and making us all more #woke digital citizens.

What Pardot content will be impacted?

The good news: Pardot already does support HTTPS in its content and tracking URLs.  Just make sure you add the “s” in the https://go.pardot.com links.

The bad news: Pardot does not support HTTPS in vanity domains yet.  Since Pardot only has a security certificate for the pardot.com domain, your go.mydomain.com links will not be HTTP secure.

Regardless of whether you use HTTPS Pardot links though, if your site does not have an SSL certificate (i.e. you’re still HTTP) your users will see this warning message.

What should Pardot admins do about this?

It’s tempting to ignore this. Your website will continue working fine.

But this is one of many steps Google will be taking to beef up Chrome security. An estimated 50% of Internet users use Google Chrome as their browser, so it’s a gamble to hope that your target audience isn’t going to be turned off by this “not secure” warning.

I’d recommend doing 5 things to stay ahead of this:

1. The obvious one… get an SSL certificate.

That’s what Google wants.  More on how to do that here.

2. Make sure you’re using SSL-enabled Pardot links in your iFramed forms

The default for native Pardot forms when you click “View HTML code” is HTTP — so definitely take a look at these and update where ever you have them placed on your site.

More on this from Pardot here.

3. Look for other “mixed content” that can cause security issues

Are you iFraming other HTTP content, like YouTube videos or social sharing widgets?  If this is on an HTTPS page, you may still have the “not secure” warning served.  

Here’s a great article on how to identify where this mixed content might live so that you can get it updated.

4. Monitor your conversion rates like a hawk

We don’t yet have data on how this will impact user behavior, so start gathering your own.  Benchmark current landing page conversion rates, and take a look in 30 days to see if it’s changed.  

If you haven’t done 1-3 above and you notice a dip… well, you know what to do.

5. Enroll in the pilot for SSL for Vanity URLs

Pardot is piloting SSL for vanity URLs (i.e. those go.mydomain.com ones) in the Winter release. Contact your AE if you want to give this a whirl.

What other questions do you have?  

Thanks again Brittany R. for suggesting this topic!  What other questions do you have on HTTPS / SSL?  Any other burning questions we can dive into here?

Let me know if the comments!

6 thoughts on “Chrome’s New SSL Policy + Pardot iFrames: Are We in Trouble?”

  1. Great article!

    Just to add some clarity, if you have a vanity domain name e.g www2.macramdigital.co.uk like we do, then all forms will autogenerate with the vanity URL included: http://www2.macramdigital.co.uk

    To make this SSL secure, the vanity domain must be changed completely. Adding the ‘S’ won’t cut it if the vanity name is still there.

    E.g
    Doesn’t work: https://www2.macramdigital.co.uk
    Does work: https://go.pardot.com

    I hope this helps! 🙂

  2. Thanks for the article Andrea! Love your blog. It’s great that go.pardot.com works, but most of my customers would like to use the vanity URLs they created, as I’m sure yours would! It’s on the roadmap, so I’m hoping Pardot addresses this soon.

    1. 100% agree Becka! We definitely need the ability to do it with vanity URLs. Will keep nudging folks to #voteandpromote the Idea related to this!

Leave a Reply