The pursuit of stronger data security and the need for stronger user protections is continually driving the evolution of SSL. On a continuous basis, new protocols and safety provisions are being introduced by the major browsers, including Google Chrome, Mozilla Firefox, and Apple Safari. As a result of this is HTTPS, and encryption as a whole, can both display and behave differently from year to year.
As we settle into the new year—2020, here is a round-up of noteworthy changes to SSL to be aware of:
Browsers Displaying Negative Indicators for HTTP URLs
Let’s start with something you probably thought happened a while ago. You likely already know that since 2018, Google's Chrome browser has been showing “Not Secure” warnings alongside unencrypted (http://) websites. What you may not realize is that was only last year the other major browsers followed suit. Apple Safari (MacOS 10.14.4) started the warnings in March 2019, and Mozilla Firefox (Version 70) followed suit in October.
Together, these 3 browsers comprise 86% market share, with Chrome making up 64% of that. So it's a pretty safe bet that the vast majority of visitors will be using one of the above to access your website.
Through the use of negative indicators from these browsers, the hope is that you, the site owner, are more apt to take action and securing their site. Website owners understand that site visitors lose trust and confidence in conducting business or sharing any information with a website that has prominent warning messages showcased. With the rise in phishing scams, identity theft tactics and cybersecurity breaches, visitors are rightfully more cautious and on-guard than ever.
In need of an SSL certificate for your website? Click here.
Browsers Forcing HTTPS and Blocking “Mixed Content”
With the ultimate goal of encrypting all websites, Google Chrome is continuing to prod website owners down the secured-site path, whether they’re ready or not. While it would seem logical that all website owners would have an SSL certificate properly installed on their site in the year 2020, there are still sites that are falling short.
For instance, if a site has an SSL, but is not forcing the “https://” protocol, the site will not be properly secured.
The protocol for the site defaults to “http://”, rendering the site as “Not Secured” by Chrome. You could simply change the .htaccess file on your server, as we explain here, or you could just let Google fix it for you. That’s right, to combat this simple oversight, Google Chrome (Version 79) will force the “https://” protocol where possible.
For the most part, this is good news, less work for you. However, if there are elements on your site that load via “http://” (e.g. image, video, scripts, etc), you will receive a “Mixed Content” SSL certificate error. You know the one, “Your connection to this site is not fully secure.”
And they aren’t stopping there, Google Chrome will now start to block the unsecured content from displaying at all. To ensure that all your content is displaying properly, make sure your site's content, images, videos, and audio are all directing over HTTPS. If you are hosting all of your content on the site's server and you already have SSL, simply make sure the images are being accessed via https. If you are sharing content from other sites, you'll need to confirm that the embedded links include HTTPS. And if that content is coming from non-secure sites you may want to find a different source.
If that seems like too much work, you may only have to wait a bit for Google to fix that for you too.
Google has plans to auto-redirect video and images where possible when it rolls our Chrome versions 80 and 81 respectfully, anticipated for February 2020 release. In the end, Google may force you to be secure, but they are trying to make it as easy as possible. The only thing you have to do is make sure you have an SSL properly installed on your site - something the team at Webnames can help you with whenever you need it.
Get your SSL today. Need help determining which SSL certificate is appropriate for your website? We're here to help!
Browsers Hiding Protocols (https:// http://) From URL and Removing Green EV Indicators
While it may seem like browsers have been adding more display features for SSLs, they’ve also been removing certain items. Since we have entered an era where the norm is to have HTTPS, and not having it will trigger the negative indicators, do we really still need to show HTTP or HTTPS?. For Google the answer is no, and accordingly, Chrome (Version 76) is hiding the protocol (https:// or http://) in the address bar.
In a more complex manner, Google Chrome (Version 77) has also removed the user interface (UI) indicator for Extended Validation (EV) SSL certificates from the browser, commonly referred to as the Green Address Bar. Although the visually green indicator is gone, the EV certificate company details can still be accessed by clicking on the padlock icon in the URL address bar of the browser. Keeping in sync, Firefox (Version 70) also removed the green indicator for EV SSLs.
While browser engineers now view the green EV indicator as unnecessary, there are still plenty in the information security space that believe verification symbols are extremely important, especially when it comes to financial and healthcare institutions. Just as social media sites place great importance on verifying real accounts with blue checkmarks for example, verification symbols for real businesses and entities will need to be satisfied.
Given the continuous evolution of browsers and their handling of HTTPS and SSL, we can safely expect to see even more changes roll out in 2020. Stay tuned and keep secure!
* * *
Jack Parrish is a Partner Growth Manager for The SSL Store, and an expert in SSL/TLS certificates.