On July 24th, Google released Chrome 68, which will mark insecure any page loaded over an HTTP connection. The long-planned move means that any site that doesn’t have an SSL certificate that enables it to use HTTPS will be prominently marked as insecure in the browser’s search bar.
HTTPS is a secure version of HTTP, the protocol used to send data over the internet. With HTTP, data is sent in the clear: it can be intercepted and read by third parties in what is known as a man-in-the-middle attack.
HTTPS connections use SSL certificates to encrypt the data and validate the identity of the server sending it. Data traveling over an HTTPS connection can’t be intercepted and read by a man in the middle.
Historically, HTTPS was used on eCommerce stores and other sites that receive or transmit sensitive data. In the last few years, Google and security experts have encouraged much wider adoption, arguing that every site should be protected by HTTPS.
Chrome will now display warnings for every page that is not loaded over an HTTPS connection. That’s important for sites that don’t use HTTPS because most users are unlikely to understand exactly what is insecure about them.
The History Of Google’s Push For HTTPS Everywhere
Google has been gradually moving Chrome in this direction for the last several years. Pages were once marked as secure if they used HTTPS. Pages that didn’t were displayed with no message. Last year, Chrome began to display warnings on HTTP sites when the browser was in incognito mode or when the user was asked to enter information. From this month, Chrome will display a “secure” notice for HTTPS pages and an “insecure” notice for HTTP pages.
In September, Google will go a step further and remove the “secure” notification for HTTPS sites. And in October the warning on HTTP pages will change from a neutral color to a noticeable red.
In addition to encouraging sites by warning users in the browser, Google also gives sites with HTTPS a boost in search engine results. All else being equal, a page delivered over an HTTPS connection will rank higher than an HTTP page.
The State Of HTTPS
HTTPS adoption has skyrocketed in recent years. Eighty-four percent of sites loaded by Google Chrome use HTTPS. So do 83 of the top-100 sites. But a large number of smaller sites do not have an SSL certificate and they are likely to be hardest hit by the new warnings.
HTTPS is a good thing. It keeps users and hosting clients safe. Adding an SSL certificate to a site was once complex and expensive. That’s no longer the case. At Nexcess, many of our WordPress, WooCommerce, and Magento hosting accounts include a free standard SSL certificate and we’re happy to help eCommerce retailers and site owners add a premium or extended validation SSL certificate to their site.
It’s likely that SSL will become ubiquitous in the near future. HTTPS is required by modern web technology like HTTP2 and Service Workers, which are the foundation of Progressive Web Apps. Magento is working on PWA solutions for eCommerce and developers have just started work on a feature plugin that will make WordPress and WooCommerce PWA-friendly.
If you would like more information about implementing SSL on your website or eCommerce store, our support team is waiting to hear from you.Posted in: Security