The release of Chrome 70 came and went rather quietly last month, but it left a highly visible mark on many HTTP websites in its wake.
Since the latest update, Chrome users have been getting a red “Not Secure” warning in their address bar each time they enter text into an HTTP website - and not just on fields we expect to be encrypted like logins, but anywhere that text can be submitted, including search bars, newsletter signups, polls, contact forms and more. The bold red labeling by Chrome is simply Google's latest escalation in warning web users that their data might not be safe.
The Long Road to Red Not Secure Warnings
Unless you’ve been under a rock these past few months, you probably knew mandatory HTTPS was coming. In fact, Google has been gradually moving towards HTTPS everywhere for more than three years now.
Back in 2015, Google began its push towards a safer web by downgrading unencrypted websites in search. Next, Chrome made a crucial reversal in how it marked websites. Instead of labeling HTTPS websites “secure” in the address bar, it defaulted to treating encrypted webpages as the norm and instead began labelling HTTP pages that contained password or credit card fields as “Not Secure”. After about 18 months of this treatment, Chrome rolled out Not Secure warnings across all HTTP websites this past July.
The red “Not secure” or "Dangerous" warning we are talking about today is just the latest evolution of Chrome’s security indicators - an upping of the ante on websites that accept data versus those that don’t.
And the warnings are working - the web is getting safer. The percentage of HTTPS page loads via Chrome has increased dramatically, averaging approximately 77% today across Android, iOS and ChromeOS. Just as importantly, user expectations have also shifted, with web users now expecting it by default.
Below are some examples of what the standard grey Not Secure warning looks like on an HTTP website, and how it changes after text has been entered into the search field.
Not Secure example, before entering text into the search field
Not Secure example, while entering text into the search field
What Risks do Non-Secure HTTP Webpages Pose?
HTTP has had a good, long run since it became the internet’s standardized protocol in the mid-to-late 1990s, but the web - and threats to its security - have evolved significantly in recent decades. Today HTTP can make you vulnerable to a variety of threats and problems from anyone that controls the network you are using.
Before we launch into the risks associated unencrypted traffic, it's worth noting that a “Not Secure” warning does not mean the website you are visiting has been found to be unsafe, or that someone is intending to do something malicious with the information that you share there. Rather, it serves to strongly emphasize that you’re not as safe as you chould be on that particular website.
A secure web connection protects against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. HTTPS accomplishes two very important things to keep you secure - it circumvents the interception of your information and ensures the integrity of the information you send and receive on the web.
Communications over unencrypted HTTP connections are far more easily and frequently intercepted by unknown parties, especially if you are using a public network connection in, say, a coffee shop, airport or school common area, just to cite a few examples. Older hardware and software can further exacerbate the risk by making users more vulnerable to new security threats. Not only can the information you share be intercepted by third-parties, it’s possible that it may never be received by the website owner at all.
To put it plainly, if you’re the owner of a website that’s not yet encrypted in 2018, you’re unnecessarily putting your brand, visitors and business at increased risk. Even if you don’t collect any personal information on your website, being labelled as “Not Secure” makes a poor first impression for any visitor. At a minimum, you’ve invested time, energy and goodwill into whatever your website is representing online, be it your business or a blog about your favourite past time. Why risk tarnishing all that hard work and turning visitors away?
Besides the real risks of reputational damage, unsecured websites are also more susceptible to other unsavory practices, such as having middlemen inject advertisements or other unsolicited content into their websites. When this occurs, it can be hard for website owners to detect. Not only can they not see what their visitors are seeing, they’re typically accessing their websites from the same known and trusted networks, day in and day out. Besides rogue advertisements, HTTP website are also more susceptible to the insertion various kinds of malware that can track behaviour, mess with your website or reroute your traffic. If you need to see it to believe it, check out this video by web security expert Troy Hunt that demonstrates the various threats static HTTP websites are up against.
Don't Get Left Behind: HTTPS is the New Normal
In keeping with the belief that HTTPS encryption should be the norm, not something you should have to check for, Google stated that it’s eventual goal is to have HTTPS be the default unmarked state. Right now, however, it’s unclear whether current incarnation of Not Secure warnings will stay, and for how long, or whether they will continue to evolve. What we do know for certain is that HTTP’s days are numbered - and that SSL is a must for all websites moving forward.
If you own a website that does not yet have SSL implemented, do yourself and your visitors a favour - don’t wait any longer. With SSL adoption rapidly increasing world wide, web users are fast losing tolerance for web pages that put them at increased risk. Plus, HTTPS also confers other benefits, namely a slight boost to your search engine rankings.
Eliminating Not Secure warnings on your webpages can be completed in a few straightforward steps - namely, purchasing an SSL certificate, followed by installing it and then configuring your website to load HTTPS by default. If you have a basic website that makes use of a single domain name, an SSL certificate will run you between CAD $20 and $300 year, depending on the brand and validation level you choose. If SSL installation and configuration has been the hurdle holding you back, our team is happy to help you clear it.
HTTPS adoption has already passed the tipping point, and for good reason: we all want and deserve a secure web. Here at Webnames, we don’t want to see any of our customers get left behind - which is exactly what will happen as increasing numbers of web users turn away from unsecured websites. Let us help you make Not Secure warnings thing of the past - no more excuses.