Have you been putting off having an SSL certificate installed on your website?
At the end of January 2017, Google Chrome browser, version 56, was released. This was a significant step in the search engine giant’s quest for a more secure Internet.
Let’s take a deep breath, unwrap what has and will happen, and look at what this means to website owners going forward. This post will cover:
Phase 1: Chrome’s Non-HTTPS Not Secure Warning
Released: January 31, 2017, for Linux, macOS and Windows operating systems
Released: February 1, 2017, for iOS and Android
With version 56, websites that collect credit card information and have password input forms that do not have an SSL certificate installed that enables HTTPS were marked not secure.
Login Forms Requiring a Password
If you have a login form for clients to log into a private area of your website, then the warning appears in Chrome. For example, if you have a WordPress membership area where users need to enter a password, the page with the login will have the warning if a SSL certificate / HTTPS is not enabled.
This warning also applied to WordPress admin login forms.
Phase 2: Chrome’s Non-HTTPS Not Secure Warning for Incognito Pages and Text Input
Released: October 2017
Phase 2 of Google Chrome’s Non-HTTPS not secure warning will roll-out in October 2017 with version 62 of Chrome.
Chrome version 62 will show a “NOT SECURE” warning for any type of text input fields on web pages. This includes online forms and search text input, and for all pages when viewed in Incognito mode.
Phase 3: Chrome’s Non-HTTPS Not Secure Warning for all Pages
Released: July 2018
The next step was the release of Chrome 68. It affects each and every page viewed in Chrome 68 that does not have an SSL certificate installed and properly set up on the website.
In the Google announcement, Emily Schechter, Chrome Security Team stated, “Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
What exactly is HTTPS?
HTTPS stands for Hyper Text Transfer Protocol Secure. It provides a secure encrypted connection over the Internet between your browser and the web server.
If you are not familiar with HTTPS, you may have seen it in action and not noticed it. For example, your bank’s website, Gmail, Facebook, and Twitter all use HTTPS. In essence, HTTPS protects the integrity and confidentiality of users’ data.
Why is HTTPS so important?
You may be wondering why Google is pushing more secure pages with HTTPS. The bottom line is that an unencrypted web page is wide open to eavesdroppers and hackers listening to communications between the user and the website.
Having an insecure page is similar to sending a postcard through the mail. Anyone can see and potentially manipulate the data.
Eric Mill, of 18F explained that HTTPS is like sending “a locked briefcase through the mail that only you and a recipient can unlock.”
Chrome’s Global Stats
You may not be a Chrome user and may be wondering what the fuss is all about. The stats say it all. According to the StatCounter Global Stats for desktop, mobile, tablet, and consoles, 53.92% of the global population used Chrome as their browser from April to June 2017.
In addition, FireFox also started showing warnings in the address bar in January 2017 with Firefox 51 for web pages that have password logins and do not have HTTPS. There is a gray lock icon that will have a red strike-through next to the URL in the address bar.
March 7, 2017: Firefox 52
Firefox 52 was released on March 7, 2017. It shows the message, “This connection is not secure. Logins entered here could be compromised” directly on the login form when you click to enter a username or password. It also shows a red strike through a padlock.
Eventually, all pages will show the strike-through lock icon warning in future versions of Firefox for any page that does not utilize HTTPS.
Moving to a More Secure Internet
If you have been considering having an SSL certificate installed, you may want to move it to the top of your to-do list now. Not only is Google making the web a more secure place with HTTPS, other browsers are following suit. Additionally, Google currently uses HTTPS as a ranking signal.
In addition to credit card information and login forms, there could be other sensitive information collected on online forms. For example, if you have an online form on your site that collects sensitive information like the user’s birth date, mother’s maiden name, and more, you should be concerned about eavesdroppers. Having an SSL secured page would protect those filling out that form from unwanted eyes.
Over to You
What are your thoughts on Chrome’s non-secure warnings?
Lastly, if you need help migrating your website to HTTPS, please contact us. We’re here to help whenever you need us.