Stay up to date with the latest news, no comlink device required

Chrome browser to start labeling Non-HTTPS sites as Not Secure

18 Jan 2017
Posted by Jediweb

What is a non-HTTPS site?

Non-HTTPS websites are sites which allow information to be seen by onlookers between a user’s browser and the website they are visiting. This could include potentially sensitive information such as passwords and credit card details.

HTTPS enabled sites encrypt the data between the user’s browser and the website they are visiting, making it much more difficult for onlookers to intercept and read the user’s sensitive information

Another issue with non-HTTPS sites is they are vulnerable to third parties modifying data sent by the website to the user’s browser. Modifications can be as simple as injecting Advertisements or Banners, sometimes done by Free Wi-Fi Hotspots or Internet Service Providers. More nefarious third parties may inject malicious software in an attempt to take control of a user’s computer.

Correctly configured HTTPS enabled sites ensure that the data being downloaded from a website actually comes from that website, thus preventing website data being modified before it reaches the user’s browser.​​

Google are trying to make the web a safer place

From around 31 January 2017, the latest version of the Google Chrome browser (v56) will be released (Chrome release schedule). It will display non-HTTPS sites as “Not Secure” on pages which collect passwords or credit card information. The image below displays the differences in what the Chrome address bar will look like between v53 and v56 of the browser.

Image Source: Google Security Blog

So, you’re thinking “but my site doesn’t take payment information, or password details, so why do I care?”

This is Googles first step in a phased roll out that encourages site owners to banish plain, insecure HTTP altogether.

In the next phase of the roll-out (in a later version of Chrome), the browser will label all non-HTTPS pages when running in incognito mode as “Not Secure”. This is because when a user is running in this mode, there is a greater expectation of privacy.

The last phase of this roll-out will have Chrome labeling ALL plain HTTP pages as “Not Secure”. The image below displays how the Chrome browser address bar will look for any non-HTTPS page it loads (in a later version of Chrome):​​​

Image Source: Google Security Blog

If you do not plan ahead, your site visitors will start landing on your site and the browser address bar will display “Not Secure”. If this happens, you will see a massive drop in traffic.

On the other hand, if you are proactive and secure your site with SSL, you can expect the following benefits:

  • ​security to all pages on your site
  • browser user privacy
  • support for HTTP Strict Transport Security (HSTS) that will show a browser error if the site is not secure
  • higher search engine rankings in Google
  • higher trust indication with a green padlock

What to do if your site is not secured

The obvious answer is to install an SSL certificate from a reputable provider. We highly recommend using LetsEncrypt for this.

Contact us if you need a hand getting your site secured.​

Posted in: Security
Share This!

Leave a Reply

Your email address will not be published. Required fields are marked *