Will Chrome mark your website as ‘not secure’ from July?

Google has announced that when version 68 of its Chrome web browser launches in July, it will mark sites all sites that do not use encryption as ‘not secure’. The move is the next step in Google’s push for all websites to adopt encryption (also known as HTTPS). Over time, Google has been progressively marking more sites as not secure – with it now displaying that sites requesting passwords or credit card information or running in Chrome’s Incognito mode over an unencrypted HTTP connection as insecure.

When a user loads a website over plain HTTP – the data flowing between the user and the website is unencrypted and can be seen by anyone between the user’s device and the web server. This allows for information such as passwords to be eavesdropped and even for malicious material to be added to the data going back and forth.

When a site is connected to over HTTPS, the connection is encrypted end-to-end making it harder for someone to eavesdrop on your information.

When users load a website over plain HTTP, their connection to the site is not encrypted. Anyone between their device and the site can see the information going back and forth or change content before it gets to the user. This allows for passwords to be eavesdropped and malicious material to be added to the data going back and forth.

When using HTTPS, the connection is encypted end-to-end stopping anyone from eavesdropping on your information.

Technology called Secure Sockets Layer (SSL) is used to encrypt data being transmitted over the Internet. It is commonly used for web sites, email services and file transfer. When a user connects to a secured website, the web server and the user’s browser carry out a handshake. The server sends a certificate which the user’s browser verifies before negotiating a secure connection. The user’s browser and server exchange keys and an encrypted session begins. This is all done transparently with the user only knowing about it with the display of a padlock in their address bar.

Do I really need to move to HTTPS?

Whether you really need to move to HTTPS depends on how you think your visitors will react when Chrome (and other browsers will follow) shows that your website is “not secure”. HTTPS has also been a ranking factor with Google’s search for sometime, so to achieve the best search rank you will need to go secured.

E-commerce sites where you take orders and accept payments should already be using HTTPS with a certificate from a reputable certificate provider but if your website is just a way of advertising your products and services and a way for customers to contact you you may not be.

When moving to HTTPS, you can either use a free certification authority like LetsEncrypt! or obtain a paid certificate from a certification provider. Both will show as secured in your visitor’s browsers but a paid certificate often comes with an easily recognisable trust seal and last for a longer period. Our hosting will work with both types of certificates and can automate renewal and installation for LetsEncrypt while we can do the installation of a paid certificate.

If you are not sure which way to go, get in touch and we can point you in the right direction.