|

Chrome’s Non HTTPS Not Secure Warning – What You Need to Know

Chrome’s Non HTTPS Not Secure Warning

Have you been putting off having an SSL certificate installed on your website?

At the end of January 2017, Google Chrome browser, version 56, was released. This release was a significant step in the search engine giant’s quest for a more secure Internet.

Let’s take a deep breath, unwrap what has and will happen, and look at what this means to website owners going forward. This post will cover:

Phase 1: Chrome’s Non-HTTPS Not Secure Warning

Released: January 31, 2017, for Linux, macOS and Windows operating systems
Released: February 1, 2017, for iOS and Android

With version 56, websites that collect credit card information and have password input forms that do not have an SSL certificate installed that enables HTTPS were marked not secure.

Login Forms Requiring a Password

If you have a login form for clients to log into a private area of your website, then the warning appears in Chrome. For example, if you have a WordPress membership area where users need to enter a password, the page with the login will have the warning if an SSL certificate / HTTPS is not enabled.

This warning also applied to WordPress admin login forms.

Chrome's non-https warning

Phase 2: Chrome’s Non-HTTPS Not Secure Warning for Incognito Pages and Text Input

Released: October 2017

Chrome version 62 warning

Phase 2 of Google Chrome’s Non-HTTPS not secure warning will roll-out in October 2017 with version 62 of Chrome.

Chrome version 62 will show a “NOT SECURE” warning for any type of text input fields on web pages. This warning includes online forms and search text input, and for all pages when viewed in Incognito mode.

Phase 3: Chrome’s Non-HTTPS Not Secure Warning for all Pages

Released: July 2018

The next step was the release of Chrome 68. It affects every page viewed in Chrome 68 that does not have an SSL certificate installed and properly set up on the website.

In the Google announcement, Emily Schechter, Chrome Security Team, stated, “Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.”

Eventual Chrome warning for all non secure pages

What exactly is HTTPS?

HTTPS stands for HyperText Transfer Protocol Secure. It provides a secure encrypted connection over the Internet between your browser and the webserver.

If you are not familiar with HTTPS, you may have seen it in action and not noticed it. For example, your bank’s website, Gmail, Facebook, and Twitter all use HTTPS. In essence, HTTPS protects the integrity and confidentiality of users’ data.

Why is HTTPS so important?

You may be wondering why Google is pushing more secure pages with HTTPS. The bottom line is that an unencrypted web page is wide open to eavesdroppers and hackers, listening to communications between the user and the website.

Having an insecure page is similar to sending a postcard through the mail. Anyone can see and potentially manipulate the data.

Eric Mill, of 18F explained that HTTPS is like sending “a locked briefcase through the mail that only you and a recipient can unlock.”

Chrome’s Global Stats

You may not be a Chrome user and may be wondering what the fuss is all about. The stats say it all. According to the StatCounter Global Stats for desktop, mobile, tablet, and consoles, 53.92% of the global population used Chrome as their browser from April to June 2017.

Global browser stats 2nd quarter 2017

FireFox 51

In addition, FireFox also started showing warnings in the address bar in January 2017 with Firefox 51 for web pages that have password logins and do not have HTTPS. There is a gray lock icon that will have a red strike-through next to the URL in the address bar.

Firefox 51 warning for non secure page
Firefox 51 warning for non secure page

March 7, 2017: Firefox 52
Firefox 52 was released on March 7, 2017. It shows the message, “This connection is not secure. Logins entered here could be compromised” directly on the login form when you click to enter a username or password. It also shows a red strike-through padlock.

Firefox 52 warning for non secure page
Firefox 52 warning for non secure page

Eventually, all pages will show the strike-through lock icon warning in future versions of Firefox for any page that does not utilize HTTPS.

Moving to a More Secure Internet

If you have been considering having an SSL certificate installed, you may want to move it to the top of your to-do list now. Not only is Google making the web a more secure place with HTTPS, but other browsers are also following suit. Additionally, Google currently uses HTTPS as a ranking signal.

In addition to credit card information and login forms, there could be other sensitive information collected on online forms. For example, if you have an online form on your site that collects sensitive information like the user’s birth date, mother’s maiden name, and more, you should be concerned about eavesdroppers. Having an SSL secured page would protect those filling out that form from unwanted eyes.

Over to You

What are your thoughts on Chrome’s non-secure warnings?

Lastly, if you need help migrating your website to HTTPS, please contact us. We’re here to help whenever you need us.

Contact us

 

Similar Posts

16 Comments

  1. Robin, I really appreciate your clear writing style and how you break down technical information so that it’s understandable and usable for visitors. I also appreciate the time and effort that you put into researching this topic. Thank you!

    1. Hi Michelle,
      Thank you for your kind words! There is so much information out there, and my hope was to make the phases clear. I appreciate you taking the time to read this, and your sharing it!
      ~ Robin

  2. Great post Robin! Thanks for sharing. I’m not so tech savvy and trying to figure out how I’d know if my website has an SSL certificate installed?

    1. Hi Anna,
      Thank you! I’m glad to hear that you like this post. I did a quick test and your website does have the free “Let’s Encrypt” SSL certificate enabled on your website. It does appear that some of the resources are not being served over HTTPS. I would be happy to discuss this with you if you would like.
      ~ Robin

  3. Robin, I sent this to a group of florists who are, let’s admit it, a gazillion more tech-savvy than I am. Here’s the response I received:

    “This is only for pages on any given website that require secure data to be input, such as passwords, cc #’s any “private” info., NOT ALL pages on the website HAVE TO BE secure. It would be illegal to for Chrome or any browser to make ALL web pages be 100% secure. If this was the case then all of your HUGE manufacturers and companies would have their sites done already. Most florist websites that use a known platform, either a florist specific web provider or a known ECommerce web developer already do and HAVE these pages secured, pages such as the shopping cart page. This rule was in effect for a long, LONG time already, many years. Hxxx, I was just on Ohio(dot)gov and Ohio Workers Comp sites and those weren’t ALL secure, you would think if the world was coming to an end and the sky was falling, they would have done it already, no just their pages that require sensitive data to be input.”

    All of us (as an industry) have secure order pages, but not necessarily secure landing pages. Are we OK as we head into Valentine’s Day?

    1. Hi Tina,
      Thank you for your comment and for sharing the detailed comment from someone from your group of florists.

      As my post states, Google explained that the first phase of the Chrome SSL requirement rolled out on January 30th. It affects those web pages that do not have HTTPS enabled and accept credit cards and have login forms that require passwords. According to Google, if the order pages are secure, then web pages will not be affected.

      You can read Google’s announcement from September 8, 2016 at: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

      As you can see, this announcement also states, “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” Please note that Google gave all of us ample time for “Phase One” and should give website owners ample time to migrate to this final phase that will happen “eventually”.

      To your question about having secure order pages, but not secure landing pages, yes, you should be OK as you head into Valentine’s Day.

      I would be happy to discuss this further if you would like. Please let me know.

      ~ Robin

  4. Rob McDonald says:

    Hey Robin,

    This was a very informative post and thanks for the heads up on this.

    I struggle with this sometimes and have to admit, don’t always know when it is important to have an SSL certificate. On my websites in the past, I only installed them, if I was receiving credit card information through the site.

    It seems that a lot of web hosts these days, are offering the SSL’s for free with your web host account. This definitely makes it easier to just install the certificate at the time of install and your done.

    Thanks for sharing this article with us and I will be sure to pass it along.

    –Rob

    1. Hi Rob,

      Thank you for stopping by! Like you, I would install SSL certificates on eCommerce websites that collected credit cards in the past. Now, with Google Chrome and Firefox’s initiative to make the Internet a more secure place, I am strongly suggesting that all of our clients’ websites be migrated to HTTPS.

      Yes, I am aware that of the free SSL certificates like Let’s Encrypt. In addition, there is cPanel’s SSL certificate in partnership with Comodo.

      Thank you again for stopping by and for passing this along!
      ~ Robin

  5. Great article Robin! This is a great feature on chrome. Good things Forefox is starting to do the same. I wonder, does internet explorer have it as well?

    1. Hi Emmerey Rose,

      Thank you for your kind words. Reports do indicate that Internet Explorer also has plans to implement HTTPS warnings as well.

      1. Thanks for the reply Robin! I hope they really do. They’re getting so behind from Chrome and Mozilla now.

  6. Donna Merrill says:

    Hi Robin,

    As always an interesting read. I agree with your points as I have personally tried this & I appreciate your efforts that you have selected this topic to write an article.

    By the way, It’s always pleasure to read your posts and comment.

    ~ Donna

    1. Hi Donna,

      Thank you for stopping by, for reading this post, and for your comment. It is always great to hear from you!

      ~ Robin

  7. George Dragojevic says:

    This is so true Robin! Security is a big thing nowadays and website owners who don’t have it yet should definitely move SSL integration to the top of their priority list. It may affect rankings!

    1. Hi George!
      Yes, I agree. Security is huge. I appreciate you stopping by!
      ~ Robin

Comments are closed.