When using Google Chrome, the way a website is displayed as Secure or Not Secure is changing in 2018. The idea behind these changes is that users should expect that the web is safe by default, and be warned when there’s a security concern. This reverses the common browser behaviour that shows a positive indication when a website is secure (green bar, green “Secure”, or a similar positive display), but may not show any warning when it is not.
This behaviour change began with Google Chrome 62 released in October 2017. In a blog in December last year in HTTPS is important for all websites, we mentioned this was the second phase of Google’s intent on marking all public HTTP websites display with Not Secure. When the final phase was to occur was not known, only that it will eventually happen.
3rd phase marking HTTP pages as non-secure
In February 2018, Google announced the next phase in a blog A secure web is here to stay. All HTTP website pages will be displayed as Not Secure in Google Chrome starting with Chrome 68, due to be released in July 2018. This month saw the release of 65, so there are a couple of releases in between, although it is not far away – Chrome 68 is less than 4 months away.
4th phase HTTPS secure is not as prominent
In May 2018 the next couple of phases were announced in a blog Evolving Chrome’s security indicators, and updated the timeline for Chrome introducing these phases for HTTP to be marked as Non-Secure. Chrome 69 due in September 2018 will remove the green Secure indicator from the address bar, simply showing a grey padlock for HTTPS website pages.
5th phase HTTP is always Not Secure
In October 2018, Chrome 70 will be released. In the 5th phase, all HTTP pages will be marked as Not Secure in grey when there are input fields and change to red when the user interacts with them.
Earlier versions display the grey icon, and Not Secure in grey when interacted with. This is still not the final phase however, as the intention is to always display the red Not Secure whenever a website is using HTTP. Chromium still have no target date for the final phase.
The behaviour is getting closer, and as more and more websites take up HTTPS, Google will be less concerned about making the final step. I expect it to happen in 2019, and possibly by the end of 2018.
Not just Chrome, Firefox too
Firefox have had similar behaviours to Chrome’s first phase, displaying warnings when sensitive information is entered on a HTTP website page. Hidden settings have appeared in Firefox 59 and Firefox 60.
The hidden settings are disabled by default. When enabled all HTTP website pages are displayed with a crossed out padlock or “Not secure” text, showing an insecure website. The feature was proposed in 2016 for inclusion in Firefox by Richard Barnes, a former Mozilla engineer, and resolved for version 59. Another feature proposed to include the text, and was completed for Firefox 60.
Is your website prepared for HTTPS?
Will visitors to your website care about the display of Not Secure? Depending on the type of website you have, you could have gotten away without an SSL certificate with no perceived impact by visitors to your website. But there is more to be concerned with than just the indicator in the address bar.
Google Search have been giving websites on HTTPS priority over websites on HTTP since 2014. If you are wanting to improve your SEO and your website is still using HTTP, then updating to HTTPS will be a step in the right direction. You could be reducing visitors finding you in search results.
From July this year there is no exception, all websites should have an SSL certificate installed for their website to use HTTPS. Chrome represents well over half of the browser market, and Firefox a fair portion of the remainder, so your users are going to be displayed with ever increasing warnings when visiting your website if you don’t have HTTPS working.
HTTPS is not just about security of information between your website and your customer’s browser, although that is an important part of it. It is also about the integrity and authenticity of the website, and having HTTPS implies your website (and your business) have been verified as being legitimate. And of course, there is the SEO boost that comes with it.
If you don’t have an SSL certificate, you should contact your hosting provider to verify they can implement HTTPS for you, and what you need to do to get one. The cost of SSL certificates are much more affordable than they were many years ago. Rubidyn have SSL certificates available for most budgets, from budget focused Domain validated certificates as a low cost remedy, through to premium EV certificates.