If you’re still running a website that is still using insecure HTTP then it’s time to wake up and drink the coffee.
Because unless you take action soon, you’re going to find many of your visitors are going to distrust your website.
The reason? Google is pushing ahead with its plan for the Chrome browser to start labelling all sites that continue to use unencrypted HTTP as “not secure” from July 2018.
HTTPS is a marked improvement over HTTP as it provides end-to-end encryption between the website’s server and your computer, preventing snoopers from seeing what messages you might be sending to a site, or the information you may be downloading.
In the last year more and more sites have made the switch to HTTPS, which is terrific news for everyone who cares about security and privacy.
According to a Google blog post, more than 68% of Chrome traffic on Android and Windows is now protected with HTTPS. The figure is even higher on Chrome OS and Mac, where Chrome traffic is protected over 78% of the time. And, importantly 81% of the top 100 websites are using HTTPS by default.
That’s excellent progress, but Google wants to push HTTPS adoption even harder.
Google’s Chrome browser has already been marking HTTP pages that collect passwords or credit card information as not secure since early 2017. It then began displaying the “not secure” warning in two additional situations: when an HTTP webpage is visited in Incognito (private browsing) mode, and when users enter data on an HTTP webpage.
But this latest step will brand all HTTP sites with a non-secure stamp, and owners of non-HTTPS websites need to consider how their site visitors will react to that warning. My guess is that it will unsettle many users.
Many internet users may not understand the difference between a secure encrypted HTTPS connection and whether a website itself can be considered to be properly secured or not.
Remember, just because a website is using HTTPS does not mean that it can necessarily be 100% trusted – and similarly, a website that is still using HTTP just might be doing a decent job in how it handles the rest of its security or your personal information (although its lack of HTTPS in such a situation would be a surprising omission).
However, Google is between a rock and a hard place. It seems impossible to find a mark of whether a website is properly encrypting information sent between its server and visiting computers that gets the balance right between being easy-to-understand, clearly visible, and not inferring that everything is safe (or unsafe) about the site you are visiting.
Google Chrome’s warning may not be perfect, but it’s the best we’ve got. And things are going to become even more obvious at some later date when Google changes its upcoming grey-coloured “not secure” warning in the browser’s URL bar to a vivid red colour alongside a warning triangle.
It goes without saying then, that if you haven’t already switched your website to HTTPS you really should.
written by Graham Cluley, ESET We Live Security