Google, in their latest effort to ramp up security, has begun rolling out changes in its Chrome browser that will alert users when they are visiting any non-encrypted HTTP website. Formerly considered neutral, HTTP websites are now deemed not secure by the browser. If you’re a site owner or developer, this can impact your site’s traffic and trustworthiness.
HTTPS is not the plural of HTTP
When checking your bank account or shopping online, you probably already know to look for the lock icon in your web browser’s address bar. This indicates your client (browser) is passing data to the site with encryption.
By default, a web page is served to the browser using the non-encrypted HTTP protocol. The protocol is the bit found at the beginning of a URL, or web address.
When a site is secure, the protocol changes to HTTPS, which stands for “HTTP over SSL”. An HTTPS site means that the website operator has secured an SSL (or secure socket layer) certification, and any web traffic passed to that website is encrypted. When using HTTPS, this protocol is often highlighted in the address bar, along with lock icon, to tell users that the connection is encrypted and thus secure.
Until recently, purchasing SSL certificates was expensive and difficult to install, so unless the website provided a login or shopping cart, website operators typically opted not to buy a SSL certificate and relied on HTTP for general web traffic.
Encryption for all!
A lot has changed in the last couple of years, driven in part by high-profile data breaches. In response to the current threat environment, organizations like Let’s Encrypt now provide SSL certificates for free. Furthermore, if your hosting provider uses CPANEL, you are able to use HTTPS instead of HTTP, so there are no reasons to not encrypt your site. Google even rewards HTTPS in search rank – secured sites are deemed more trustworthy by the search giant.
Google is not waiting for developers
Initially, only pages that accept a login or provide a shopping cart will show the alert, but eventually this alert will be displayed site-wide across all HTTP pages.
Receiving this alert may be alarming to site visitors who are already skittish about web security, so if you own or operate a website you should get to work implementing a SSL certificate for your website. In web security, we’re only as strong as our weakest link, so this push by Google to encourage all websites to go HTTPS is a step in the right direction.
How To Fix It
Site owners and developers should take immediate steps to implement a SSL certificate to avoid the not secure warning in Chrome. Instructions how to do so can be found here.