Chrome 68: All HTTP Sites to be Marked ‘Not Secure’ from Today!

What Day is Today? It’s the Chrome HTTPS Day!

The day we have been hoping for, the day we (well, some of us) have been worshipping for, the day we have been waiting for is finally here! Starting today, Google Chrome will show a ‘Not Secure’ warning to users upon visiting an HTTP webpage. This significant update is set to be rolled out in Chrome 68, to be released today. From the web security point of view, this marks one of the most important days in the history of the web.

The crusade against HTTP has been going on for years, and Google has been at the forefront of it. Time after time, Google has delivered blows to the usage of HTTP—starting from giving SEO benefits in 2014 to warning users on typing something.

It’s worth noting here that not everyone will get the Chrome 68 update right away as Google rolls out an update in phases that last around a week.

Why is Google doing this?

You might be aware that there are two main protocols through which your internet browsing takes place—HTTP and HTTPS. As you can see, the ‘S,’ which stands for secure, is what differentiates both. When you’re over an HTTP connection, the data transfer takes place in the plain text, without encryption. This gives a window of opportunity for any unauthorized entity to intercept and tamper the data-in-transit. In technical terminologies, this is called a man-in-the-middle (MiTM) attack. It could be a real danger if you send sensitive information (credit card details, passwords, etc.) over an HTTP connection.

While an HTTPS connection facilitates encryption for every bit of information being exchanged between the client and server. As a result, any ill-intended person cannot see or tamper with the data even if he/she somehow manages to intercept it. This way, a secure connection is established between the client and server—something that Google has been pushing for.

The ‘Not Secure’ Warning

Once installed, all the users having Chrome 68 will get a ‘Not Secure’ warning upon visiting a non-HTTPS web page.

Here’s how it’s going to look:

Such a warning could make a significant difference, especially if you’re an online business or accept online payments. Let’s imagine this from your potential customer’s point of view. A person named Bob is looking for a desk pillow (Yes, that’s a real thing!) and lands on your site to buy it. He likes the product, and the price is right for him as well. He then adds the product in his cart and goes on the checkout page. As he’s about to enter his credit card details, he notices the ‘Not Secure’ sign in the URL Address Bar. He thinks that something’s not right about this site and visits another site to get a desk pillow. Now, if you had HTTPS in place, you could have had a happy customer. But you don’t have it, and it’s quite sad.

This doesn’t mean that only the websites that accept payments need HTTPS. You could have a blog and might be accepting login credentials or have a field for subscribing to your blog. Today’s security-savvy users might have a problem with giving you their credentials if your site is marked ‘Not Secure.’ And even if you don’t have the provision for anything as such, Google provides a ranking advantage to HTTPS-enabled sites. We assume you want that, don’t you?

How to Migrate from HTTP to HTTPS

The thing separating an HTTP site from an HTTPS one is an SSL/TLS certificate. The sites with HTTPS have SSL/TLS certificates enabled on them, and they secure the connection between the client and server. Therefore, to migrate your website to HTTPS, you’ll need to install an SSL certificate.

An SSL certificate facilitates end-to-end encryption to prevent MiTM attacks and provides authentication to counter phishing scams. It’s worth noting here that there are different types of SSL/TLS certificates. You need to choose one to depend upon what you are, what sort of platform you have and what you want.

Your work is not done even if you have installed an SSL certificate. You need to redirect all your webpages to HTTPS using 301 redirects.

Last Word

With more than 50% market share, Google Chrome is by far the most popular web browser on the planet. That is why you cannot afford not to have an SSL certificate. HTTPS is becoming the new norm, and this move by Google marks another milestone in achieving HTTPS everywhere. If you don’t have installed an SSL certificate or haven’t redirected users to HTTPS, you could be in for some real consequences. Nobody wants that.

Therefore, encrypt today!