Have you been meaning to implement HTTPS on your website?
Well now it is critical if you want to be seen as a trusted source for your site visitors. In a recent announcement Google has confirmed that when users visit HTTP sites on Chrome they will be marked as “Not Secure” from July 2018 with the release of Chrome 68.
There has been a gradual move by Google, marking subsets of HTTP pages as “not secure” as I wrote in my original post.
This article has been updated on 17 February 2018 to reflect these changes. It was originally published on 18 August 2018 and you can see the original post below.
You may have noticed that people have been posting online about receiving this notification from Google:
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.
The new warning is part of a long term plan to mark all pages served over HTTP as “not secure”.
Here’s how to fix this problem:
- Migrate to HTTPS
- To prevent the “Not Secure” notification from appearing when Chrome users visit your site, only collect user input data on pages served using HTTPS.
If you have been paying close attention to the topic of site security, these warnings it will not be a surprise.
Back in 2016 Google wrote about the steps it was taking to provide a more secure Internet which you can read here.
They even went as far as publishing a Transparency Report coverig both public and private data sources to track the HTTPS state of the top 100 non-Google sites on the Internet (probably accounting for 25% of all website traffic worldwide) and you can see whiich sites are secure (or not), some of which may surporise you.
HTTP (HyperText Transfer Protocol) and HTTPS (HyperText Transfer Protocol Secure) are both protocols, or languages, for passing information between web servers and clients. HTTPS is a secure connection, whereas HTTP is unsecure.
Several months ago I went to a meetup of WordPress users and the developers there were surprised that my site which is not accepting online payments directwas already set up for HTTPS (though I have a glitch or two I am trying to resolve on that still). It seems that not too many of their clients had been asking about HTTPS other than if they were ecommerce sites. Well that is about to change.
Go back and read that notice again and see how it says “Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode”. So if you have an optin form on your website and your site is not set up as HTTPS it will show on Chrome as not secure – and that probably will not instill confidence in your site visitors.
In April 2017 Google posted the following:
In January, we began our quest to improve how Chrome communicates the connection security of HTTP pages. Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps. Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode. We will publish updates as we approach future releases, but don’t wait to get started moving to HTTPS! HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. Check out our set-up guides to get started.
Therefore today’s flurry of communications should not really be a surprise to us, as Google is just providing advance warning.
My friend MaAnna at Blogaid was straight onto this today when the news broke and her article she covers some of the things that it takes to be HTTPS for a WordPress.org site:
- your database actually converted in a WordPress-aware way
- a real green padlock
- mixed media being secure
- full security headers
- proper updates to Google Analytics and Search Console
- acceptance on Chrome safe site preload list (that all other browsers copy).
Read this other article from her with recommendations of why you should not a free solution with your host here.
If all this sounds complex, now is the time to talk to your web development team. The purpose of my writing this article is to provide you a prompt on this important update that is coming soon.
If you have been delaying sorting out HTTPS for your site as you are not selling online, but you are collecting data, basically there is no option but to get this sorted out now – Statcounter reports that 54.27% of the worlds internet users are using Chrome as at the end of July 2017 so even if you don’t (and I don’t) use Chrome as your primary browser you can be sure that lots of your clients and prospects do.
I hope this acts as a helpful prompt to get your site secured.