Loading

Google to mark HTTP sites as non-secure in Chrome

Google has announced that as of October 2017, their internet browser Chrome will show a ‘NOT SECURE’ warning when users enter text into a form on a HTTP page and on all HTTP pages in Incognito mode. The purpose of this update is to help protect users data. Visually the warning will look like the red triangle that is currently used for broken HTTPS pages.

The release of Chrome 56 in January 2017, made updates so HTTP websites that collect passwords or credit card information were marked as Not Secure in the address bar. This new update takes it one step further and eventually Google will look to roll this update out to show on any page that uses HTTP instead of HTTPS.

Google explains the reasoning for highlighting HTTP sites as non-secure below:

When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you. Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.

What is http and https?

HTTP (Hypertext Transfer Protocol) is the foundation of data communication for the World Wide Web and is what you see at the start of most web addresses e.g. http://www.oneclick.co.nz

HTTPS (Hypertext Transfer Protocol Secure) is the communications protocol for secure communication over a computer network on the Internet. The main purpose of HTTPS is to authenticate websites and ensure the protection of the privacy of data exchanged over a website, protecting against eavesdropping and tampering with or forging the contents of the communication. When a website is using HTTPS their web address will start with HTTPS e.g. https://www.oneclick.co.nz

 

Changing from HTTP to HTTPS
Example of chrome non-secure site

What does this update mean for my website?

If your website uses the HTTPS protocol then your website will not be affected by this update. If your website is currently using the HTTPS protocol, then from October, 2017 onwards, a Not Secure warning will show in the address bar for any web pages that collect visitors data via a form. This warning will also show for all HTTP pages when someone is visiting your website through the Chrome incognito mode (private browsing). Longer term Google are looking to implement this update to mark all pages served over HTTP as Not Secure.

Such warning messages can be off putting for users and may mean they leave your website as it seems untrustworthy.

 What can I do if my website isn't https?

To prevent this warning from showing on your website, your website should be updated to use the HTTPS protocol. This can be done by following these steps:

  1.     Host your website with a dedicated IP address
  2.     Buy an SSL certificate
  3.     Activate the SSL certificate
  4.     Install the SSL certificate
  5.     Update your site to use HTTPS

For full details on how to implement HTTPS on your website see instructions here.

Example of Chrome secure site
Monique Oosterbaan

Author: Monique Oosterbaan
Published: 01/09/2017