HTTP is the protocol used by web browsers to communicate with websites. HTTPS — note the additional “S” at the end — is a secure version of HTTP. HTTPS uses SSL certificates validated by a Certificate Authority to encrypt data as it moves between the browser and the server on which a site is hosted. Data sent over an HTTPS connection cannot be intercepted by third-parties or modified as it traverses the network. HTTPS makes sure that no-one on the network — either the local network or the Internet — can intercept or interfere with data as it travels between the browser and the server.
Until recently, browsers displayed a warning for sites that had obvious security problems. Sites that allowed users to connect with HTTPS were considered secure. Sites without HTTPS were considered neutral — no warnings were displayed. Last year, Google announced a change in the way it viewed the security of web pages: all sites without HTTPS are now considered insecure. The only secure sites are those that have a valid SSL certificate.
Google and other browser developers didn’t immediately begin to flag all non-HTTPS sites as insecure, but they have gradually increased the scope of “Not secure” warnings. Since January, Chrome has displayed “Not secure” warnings for all non-HTTPS pages with credit card or password fields. With the expected release of Google Chrome 62 in October, the range of sites Chrome considers insecure will be extended to unprotected pages that take user input.
Any HTTP page on which users submit data will be considered insecure. That includes email submission forms, comments, and any other page with a form element.
The general trend towards increased security on the web makes sense. A few years ago, implementing HTTPS was beyond the technical capability of many; it was complex, expensive, and easy to get wrong. Today, with the wide availability of free SSL certificates from Certificate Authorities like Let’s Encrypt, setting up HTTPS is a breeze and there’s no real reason not to jump in with both feet.
In addition to pages on which users submit data, Google Chrome will display warnings on all HTTP pages visited in Incognito mode. Incognito mode is intended to keep a user’s browsing private. Pages that are served over HTTP can be viewed by users on the same network, defeating the purpose of browsing with Incognito mode turned on.
Google is likely to continue to increase the scope of “Not secure” warnings. They will eventually be displayed for any web page that is not served over an HTTPS connection.Posted in: Security, Webmaster