Chrome marks HTTP pages as Not Secure

What is Secure Connections?

Secure connections: a connection that is encrypted by one or more security protocols to ensure the security of data flowing between two or more nodes.

This week’s buried & forgotten news is next week’s big news! Chrome browser will begin to mark certain types of HTTP pages as not secure in version 62, release date set for October 17th, 2017.

Published on April 27, 2017 at the Chromium blog: “Chrome now marks HTTP pages as “Not secure” if they have password or credit card fields. Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

Is Chrome your browser of choice?

Do you use the Chrome browser to surf the web, check email, and pay online bills? If yes, you are a Chrome user. You might be reading this because your Chrome browser is spitting out “not secure” security messages. If you aren’t a user, you are a webmaster. It doesn’t matter what browser a webmaster prefers, all webmasters are affected.

We (as webmasters) did have forewarning. As early as September, 2016, the developers of Google Chrome told us they would begin to push a secure connections narrative. One part of that narrative is to mark HTTP web pages as insecure *if* said pages contain user input forms — search boxes, contact forms, credit card fields, for example.  In April 2017 Google announced its success in this endeavor and again let us know there would be even more changes to come.

[su_accordion class=”banner-text”]
[su_spoiler title=”QUICK LESSON: What is SSL & HTTP?“]
If you are scratching your head at the acronyms, don’t stress. Here is the rundown:

  • SSL stands for Secure Sockets Layer. SSL is a protocol (a set of rules) for establishing an encrypted link between a web server and a browser.
  • An SSL certificate allows for the secure (encrypted) connection between your browser and the server with which you are communicating. As a user, in regards to SSL certificates, you aren’t required to install anything to your computer or browser. An SSL certificate is something that resides on the web server and is installed by the website owner. When your browser establishes a connection with an HTTPS website, it automatically establishes an encrypted connection.
  • TLS — if you see it mentioned in this article — stands for Transport Layer Security.  If I started talking about TLS, then I’d have to first go into OSI model. And MPLS. And SDN. Too many acronyms and this article is already long enough! Let’s leave it at this: SSL is old. TLS replaced SSL because it uses a stronger form of encryption. We probably use TLS certificates more often than we do SSL certificates. But SSL is the term that most people recognize though, so we’re going to stick with it.
  • HTTP stands for Hypertext Transport Protocol. HTTP is a protocol (a set of rules). It is a method to transport data from one location to another. HTML web pages, for example, are transported over HTTP. Because data is transported in plain text form, it is not considered secure.
  • Like much of the Internet in general, HTTP was never meant to be secure. HTTPS, developed once the need for security became apparent, is a secure form of HTTP.

Users, a little more history: In fact, most of the pieces-parts that make up the Internet weren’t originally designed with security in mind. Development of HTTP fell right in with that line of thinking. Eventually, HTTPS added a method to securely transport encrypted data from one location to another — from your browser to the web serve..err… to the Internet and beyond!
[/su_spoiler]
[/su_accordion]

What has changed? Why is an SSL certificate required?

An SSL isn’t required. You can live without one, but read on. There are reasons why you do want to have an SSL certificate on your website!

In the past you might have been led to believe that only e-commerce websites and websites that transmit personally-identifiable information require an SSL certificate. Fast-forward to 2015! Google and other important Internet Influencers agreed that SSL certificates should be the new normal. Using their clout, they started to quietly push for widespread acceptance of that idea. Not surprisingly they were successful! For the past several years Google has even given websites a small bump in SEO value if they have an SSL installed! Added security for website visitors & increased SEO value? Not a bad deal.

 

A secure connection indicator appears in the Chome omnibar
Once your site has an SSL, this is how the URL will appear in Chrome (and most other browsers.  The green lock is a universally-understood symbol.)

 

 

How to fix or avoid the ‘problem’

For most everyday browser users, you may feel the pain when visiting a ‘non-compliant’ website, but there really isn’t much that you can do about it. If you are thinking of changing to another mainstream browser such as Edge or Firefox, don’t bother because they plan on doing pretty much the same thing as Chrome. Presenting you, the user, with a clean functional website is the responsibility of the website owner. Unless you don’t feel like surfing the web anymore, there really is no way to avoid the move towards secure connections.

To be clear, this change isn’t a ‘problem’. Not to sound all bible-like, but TRULY I say to you, HTTP is insecure! Additional security is a good thing in this case, because it is being done in a smart way and for good reason. The fact is, SSL has been around since 1994 and formally specified by RFC 2818 since May 2000. Its mainstream use could have come about much earlier.

Also to be clear, there is no such thing as a non-compliant website. Purchasing an SSL for your website isn’t required. If you don’t have an SSL, your site will still be accessible to everybody on the Internet. Lack of an SSL certificate won’t directly stop people from being able to access your site.

Which brings us to the point of discussing Google’s trickery. It’s brilliant, actually. Because of the Not Secure indicator, — even though the message in no way implies that an HTTP site has been hacked — a large percentage of the Internet population may stop trusting HTTP websites.  Browser security warnings (Chrome and others) just may be enough to turn people away from visiting your classic HTTP website. In a sense, it’s a psychological trick, but one that works. Since the release of Chrome 56 in September 2016, there is reported 23% reduction in the number of navigations to HTTP pages with password or credit card forms on desktop. In other words, people don’t trust what isn’t explicitly labeled secure!

Summary

Based on my understanding of what is about to happen in Chrome version 62, and what Google is planned for future versions of Google Chrome, this is what I recommend…

Webmasters:

  • It’s time to get on board! Let your website clients know that being a good netizen is to everybody’s benefit — firstly, their own clients! Convince them that offering ‘secure connections’ from their website is the best way to go.
  • Let your website clients know that additional security isn’t the only advantage of having an SSL certificate on their website. Help them identify their needs and explore their options. There are SSL certificates ranging in price from free to hundreds-of-dollars-per-year. Those who have extremely basic sites with no interaction and no need for an SSL might opt for a free SSL. An e-Commerce website owner will probably spend $50-75/yr for a high-grade commercial SSL.
  • Obtain an SSL certificate. Install it. Make the necessary code modifications to the website. Charge for the time it takes you to complete the task. Instead of this being a hassle, look at it as a business opportunity and a way to help improve the overall security of the Internet.

 

Website owners: Embrace secure connections. Soon enough, all HTTP web pages will be marked Not Secure.  (This has already been written.)

Chrome (etc.) browser users: When you visit a website that results in the “Not Secure” warning, understand the site itself is probably safe to visit.  It’s the pages of the site that aren’t being delivered to you in a secure manner. Google Chrome just wants you to know very clearly that anything that you submit to the site, or view at the site, can be intercepted, viewed, and possibly modified en-route. Ultimately the choice to click further into the site is up to you. (And Google is counting on you avoiding HTTP pages like the plague.)

Need more information about secure connections? I’m willing to speak with businesses who want to take their existing web presence to the next level. Call me. Let’s Talk!