Tag: browser

HTTPS Update: Google Chrome Displays “Not secure” Warning on More Websites

Posted by Ken Moire & filed under Security.

In January we talked about Google displaying a “Not secure” warning to Chrome users who visit any non-HTTPS web pages that accept passwords or credit card information. Soon, Chrome will display this warning in additional cases, affecting website visitors and site owners.

What To Expect

Coming in October, visitors to any non-encrypted (or non-HTTPS) web page that includes a form or to any non-HTTPS website while browsing in “incognito mode” will receive this warning. This will affect even more sites where search, contact and lead generation forms are prevalent.

Google HTTP Not Secure Warning

Chrome’s HTTP Not Secure Warning

This warning does not necessarily mean the website has been compromised. It is a precautionary move by Google to inform website visitors their browsing and communications are not encrypted.

Why Encrypt

The responsibility for web security belongs to all of us: web developers, website owners, network administrators, hardware and software manufacturers, and of course, users. In this chain, web security is only as good as the weakest link. This latest maneuver by Google, in an effort to make the web a more secure place, highlights the responsibility of site owners to provide safe, secure browsing and online communication for their visitors. For users, it educates them on the risk of using non-HTTPS websites, particularly when collecting personal information.

In light of the recent Equifax hack, it is important for users to know their online communications and personal data are secure. And site owners should take measures to obtain a secure socket layer (SSL) certification and move to HTTPS.

SSL certificates are now more affordable than ever. There are three main methods for securing your site. Domain Validated SSL certificates provide a basic level of encryption, and are relatively easy to implement. Organization Validated (OV) and Extended Validation (EV) SSL certificates require more validation, making them costlier and more complicated to set up.

Talk to your web hosting provider to see what your options are and which solution makes the most sense for your website or application.  

What Happens If You Do Nothing

Having HTTPS is a factor in improving your site’s search rank in Google. Displaying this message to your visitors can have a negative long-term impact on your brand’s trust, and worse, keeps you and your visitors open to potential malicious attacks.

While this change currently only impacts users on Google Chrome, other browsers have historically followed Google’s lead on security issues. Firefox to Microsoft Edge will likely follow suit.

Chrome HTTP “Not Secure” Warning Fixed with SSL

Posted by Ken Moire & filed under Security.

Google, in their latest effort to ramp up security, has begun rolling out changes in its Chrome browser that will alert users when they are visiting any non-encrypted HTTP website. Formerly considered neutral, HTTP websites are now deemed not secure by the browser. If you’re a site owner or developer, this can impact your site’s traffic and trustworthiness.

HTTPS is not the plural of HTTP

When checking your bank account or shopping online, you probably already know to look for the lock icon in your web browser’s address bar. This indicates your client (browser) is passing data to the site with encryption.

By default, a web page is served to the browser using the non-encrypted HTTP protocol. The protocol is the bit found at the beginning of a URL, or web address.

Web address protocol

HTTP is the web protocol

When a site is secure, the protocol changes to HTTPS, which stands for “HTTP over SSL”.  An HTTPS site means that the website operator has secured an SSL (or secure socket layer) certification, and any web traffic passed to that website is encrypted. When using HTTPS, this protocol is often highlighted in the address bar, along with lock icon, to tell users that the connection is encrypted and thus secure.

Until recently, purchasing SSL certificates was expensive and difficult to install, so unless the website provided a login or shopping cart, website operators typically opted not to buy a SSL certificate and relied on HTTP for general web traffic.

Encryption for all!

A lot has changed in the last couple of years, driven in part by high-profile data breaches. In response to the current threat environment, organizations like Let’s Encrypt now provide SSL certificates for free. Furthermore, if your hosting provider uses CPANEL, you are able to use HTTPS instead of HTTP, so there are no reasons to not encrypt your site. Google even rewards HTTPS in search rank – secured sites are deemed more trustworthy by the search giant.

Google is not waiting for developers

Initially, only pages that accept a login or provide a shopping cart will show the alert, but eventually this alert will be displayed site-wide across all HTTP pages.

Chrome-HTTP-warning

The Not secure warning in Chrome

Receiving this alert may be alarming to site visitors who are already skittish about web security, so if you own or operate a website you should get to work implementing a SSL certificate for your website. In web security, we’re only as strong as our weakest link, so this push by Google to encourage all websites to go HTTPS is a step in the right direction.

How To Fix It

Site owners and developers should take immediate steps to implement a SSL certificate to avoid the not secure warning in Chrome. Instructions how to do so can be found here.