Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS. (Google security blog)
All websites, whether they require users log in or not, should switch to HTTPS in the near future. This is something most website owners have probably considered in the past, but have been putting on the back burner. Just another reason 2017 is a good year to revisit using HTTPS on your website.
Who needs to switch to HTTPS?
A wide range of websites can be affected. Any site that requires users to log in to access content, register, comment, or buy anything, for example. Most associations, nonprofits, and NGOs are probably affected. Here are some common examples that will be affected by this change:
- Members-only content. If your site includes some members-only content, your members (presumably) have to log in to see it. The login page will need to be secured (encrypted) to avoid the warning.
- E-commerce or bookstore. Even if your bookstore or e-commerce site does not process credit cards directly and you are not required to be PCI compliant, your online store allows users to log in to check on order status, or see past orders, for example. This means at least the login pages will trigger a warning.
- Member or alumni ‘Portal’ sites also require a login.
- Intranets may also trigger a warning, so alert your staff.
Eventually, all HTTP websites will get the warning. Google has not announced when this will happen, but they do encourage people to switch to use HTTPS everywhere in the “long term.”
What does the Chrome security warning mean for my users?
Google Chrome will warn visitors that your site is insecure. This will happen under these conditions :
- Your site is unencrypted. If your site is accessed as HTTP. SSL/TLS-secured sites (HTTPS) are not affected.
- Your site requires a login. Specifically, if Chrome sees a password field on your site.
- You ask for a credit card. Again, Chrome is looking for a credit card field.
When and where will Chrome start warning users that my site is insecure?
The roll-out of this feature will happen in two stages.
As of January 2017, the first phase has begun to roll out. In this phase, Google Chrome will show an informational, black-and-white icon on the browser’s address bar to inform the user that the site is “not secure”:
Here’s a sample image from Google:
Later in 2017, the warning will be red, more visible, and more likely to discourage your users, similar to the image at the top of the page. In the long term, this warning will be shown for all HTTP websites.
For now, Chrome is the only browser who has announced this action. Other browsers are expected to follow suit in the near future.
Why is Google doing this to me?! Why is HTTPS so important?
HTTP is a very insecure protocol. HTTPS is the secure version of the same protocol, and provides both encryption and authentication of your site. Google and other companies have pushed for more widespread adoption of HTTPS over the past few years. HTTPS protects the integrity of your website as well as the privacy and security of your users. In addition, new technologies will require more and more permissions from the user before integrating with your website. As this happens, these APIs will require HTTPS connections to your website: in the future, your website will need to be secured with HTTPS in order to take advantage of new technologies.
How do I enable HTTPS?
Unfortunately adding HTTPS is not as simple as turning a switch. Advances in the past few years have made implementation a little easier, but there are still several steps to do. Your best bet is to hire someone familiar with the protocol and server administration.
As always, don’t hesitate to contact us to help implement HTTPS on your site.