As you may know Google has been pushing for ‘secure by default’ for all websites. In July this year with the release of Google Chrome 68, any website that is HTTP only and not HTTPS will be flagged as insecure to the user. Whilst the drive towards HTTPS is nothing new, Google believes mid-Summer this year will see the tipping point where they can mark ALL websites that have not migrated to HTTPS as ‘not secure’.
HTTPS encryption offers protection between the browser and the website you are visiting, ensuring that no-one in the middle can temper with the traffic or spy on any information sent across the connection. Without such encryption, someone with access to your router or ISP could intercept the information sent via any web form or inject malware into otherwise legitimate pages.
Currently, Chrome displays non-secure website with a neutral information icon within the URL address bar. In Chrome 68 due for release in July, this icon will be expanded to include the words ’not secure’ alongside it. The eventual treatment of any non-secure website in Chrome future releases will be a red flag within the icon bar, for e-commerce websites is would be a major concern to the user and they would be advised not to enter any personal or card details via that website.
Google have incentivised this push towards HTTPS by introducing it as a ranking signal so websites that are secure rank higher than those websites that use standard HTTP requests in their search results. The campaign has proven to be successful as according to a recent blog post:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 websites uses HTTPS by default.
In addition to the above, Google Chrome has a desktop browser market share of over 65% and just over 50% market share on mobile. So the impact of the upcoming browser changes cannot be ignored.
However, the process of switching a website over the HTTPS isn’t always trivial but it has been made substantially easier and cheaper via services such as ‘Let’s Encrypt’. A free, automated and open Certificate Authority operated by not-for-profit Internet Security Research Group. This gives website owners and developers less of an excuse not to adopt HTTPS.
Sources
The Verge – https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl
Chromium Blog – https://blog.chromium.org/2018/02/a-secure-web-is-here-to-stay.html