Organizations have only four and a half months to upgrade their Web sites to use HTTPS encryption. After that, Google Chrome browsers will mark sites using only HTTP as “not secure.”
That’s because starting July 1, with the release of Chrome 68, all Web sites not using encryption will be marked and insecure as a way to give users more confidence in Internet security.
Firms that only use their sites for information and not transactions may not care, but there is a risk that a “not secure” label in the URL will cause reputational harm. Right now Chrome displays an exclamation mark beside the URL of a site that doesn’t use HTTPS and doesn’t have a password or credit card form field. If it does have one of those fields the URL also includes the words “not secure.” Viewers may ignore those signs now. However, at some point soon those warnings will change to red with a warning triangle.
Sites using HTTPS have a green padlock and the word “Secure” in the URL address line. Increasingly consumers are getting used to looking for it.
Many developers have got the message, Google said in a post last week, saying progress in 2017 was “incredible.” It released these numbers:
- Over 68 per cent of Chrome traffic on both Android and Windows is now protected;
- Over 78 per cent of Chrome traffic on both Chrome OS and Mac is now protected;
- 81 of the top 100 sites on the web use HTTPS by default.
Google said it isn’t hard to set up HTTPS. “Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving Web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.”
Security writer Graham Cluley notes that Chrome marked HTTP pages that collect passwords or credit card information as not secure since early 2017, and then extended it to when an HTTP webpage is visited in Incognito (private browsing) mode, and when users enter data on an HTTP webpage.
“Remember,” he adds, “just because a website is using HTTPS does not mean that it can necessarily be 100 per cent trusted – and similarly, a website that is still using HTTP just might be doing a decent job in how it handles the rest of its security or your personal information (although its lack of HTTPS in such a situation would be a surprising omission).” However, a warning is better than nothing.