All http pages to be marked as not secure as Google gets serious about https / SSL on websites
In the last couple of years, Google has recently been gently encouraging website owners and web developers to move their websites to https. This encrypts any information sent by users so it can’t be read by third parties or hackers. This is particularly important when a user logs in or supplies sensitive financial information such as credit card details.
Google’s popular Chrome browser has been warning users if a page is not secure for many months. This normally happens when the web page asks users to login or supply sensitive information.
A similar message appears for FireFox users directly next to the login field.
Finally Microsoft’s Edge Browser also gives a message.
The warnings on browsers is significant and might alarm users in certain situations. However Google recently announced that they are escalating the warnings with the following statement on their security blog:
“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 sites on the web use HTTPS by default”
See this link for more information: A secure web is here to stay
So July 2018 is the cut-off date and we would expect the other major browsers to follow-suit.
Before we cover how you tackle the issue let’s give you some background to https or SSL (secure socket layer) pages.
What is https / SSL?
Web pages and transferred data running under http can be read by a third party and in many cases it doesn’t matter. You might be doing something mundane such as reading a news story on a website or a company’s history on their about us page. While you may be giving away your interests, nothing truly personal is being transferred.
This all changes when you are logging in to page or submitting sensitive financial information such as credit card details. Most users will want this information protected from prying eyes or changed and that’s what https does.
As long as website is running under https, the information sent from a web page is encrypted so it can’t be read by third party. The receiver of that information has the ability to decrypt the information so they can understand the information and allow a transaction to take place.
Many web users will look for a padlock or https when they are buying something online, even if they don’t know exactly what it means.
There’s a rather brilliant non-techie explanation of https using carrier pigeons here: HTTPS explained with carrier pigeons
Why are Google encouraging https / SSL?
Google want to encourage people to have a great experience using the web. Adrienne Porter Felt, is a software engineer and manager on the Google Chrome Security Team recently tweeted this:
People sometimes wonder why the @googlechrome team pushes HTTPS so hard. I’ve read some good conspiracy theories. Here’s the reality:
- Many people on the Chrome team are personally passionate about web security. HTTPS is a foundational part of web security. It’s a grassroots effort that worked hard to get leadership support.
- We don’t think people know or care about the difference between HTTP and HTTPS. Security indicators are nigh impossible to get perfect. If everything is HTTPS, one less thing to bother users about.
- ServiceWorkers are revolutionary. They make websites work offline or under flaky network conditions. They’re also too powerful to allow over HTTP. If we want the web to use ServiceWorkers, the web must use HTTPS first.
- From a business perspective, we want people to both feel and be safe online. If they enjoy the web — if it’s fun and reliable and SAFE — we hope they’ll spend time using our product (Chrome).
Moving your website to https
We will cover this in more detail in a future blog post, however you must have the following:
- A SSL certificate for your web hosting – talk to your web hosting provider.
- Access to the public_html folder for your website files through FTP.
- Access to your website admin for your Content Management System if applicable.
- Access to your Google Analytics account and Google Search Console accounts.
Effectively you are making a change to the URL of your website so the changes must be done properly and anyone using the old http web address should be redirected to your shiny new secure web page. This applies to all sub-pages too.