If you’re still running a website that is using insecure HTTP then it’s probably too late.
Some of your website’s visitors are going to be greeted with a message that tells them that they can’t trust your website to be secure.
That’s the message they’re going to get from Google Chrome which - in version 68 released on Tuesday 24 July 2018 - is changing its behaviour, and will start labelling all sites that continue to use unencrypted HTTP as “not secure”.
And as Chrome is the world’s most widely-used browser, that’s an awful lot of visitors who might feel unsettled visiting your website from Tuesday.
It’s not as though website administrators haven’t been given fair warning. The Chrome browser has been marking HTTP webpages that ask for passwords or payment card details as not secure since early last year.
And in February, Google confirmed that with the release of Chrome 68 this month it would “mark all HTTP sites as “not secure”.”
HTTPS is good for your website visitors, and it’s good for your website.
Enabling HTTPS stops your webpages from being tampered with in transit, and stops anyone from snooping on the data that your users might be sending to your website. And, if you need any more convincing, Google has indicated that if your website has HTTPS that’s going to help your search ranking too.
And HTTPS doesn’t have to cost you anything. The LetsEncrypt initiative lets anyone who owns a domain name obtain a trusted certificate at no cost. If LetsEncrypt is too nerdy for you, you might be able to use the likes of Cloudflare’s free plan to get that all-important HTTPS in your URL.
Security expert Troy Hunt has created a simple website entitled (appropriately) httpsiseasy.com which can walk you through the process of setting up with Cloudflare.
There are going to be some website owners who are going to be pretty upset about Chrome telling their users that their websites are “not secure”. They may even be some regular internet users who are upset too.
But this is an important step in the journey of making the internet a safer, more secure place. Going forward, encryption should be the default, not the exception.
Listen to more discussion about this topic in this episode of the “Smashing Security” podcast: