A few days ago, we announced that Google was about to mark all unencrypted sites “not secure”, why it matters and what to do about it.
Inevitably, some publishers were caught unawares, and they are now getting flagged by Google’s Chrome browser publicly. The other big browser makers are expected to follow soon.
“Security warnings will pop up on the Daily Mail website today if visitors are using the latest version of Google’s Chrome browser,” said Mark Ward, Technology correspondent of BBC News. “In the UK many others, such as Sky Sports, Argos and Boohoo have also not yet adopted HTTPS throughout their sites.”
Ironically, even though the last story above was reported by BBC News (UK), some of the broadcaster’s other sites are also being flagged by Google Chrome, including its BBC America pages.
According to the data gathered by security researcher Troy Hunt, more than 50% of all the web’s top one million sites are yet to make the change to HTTPS.
“HTTPS is now free, easy and increasingly ubiquitous. It’s also now required if you don’t want Google Chrome flagging the site as “Not secure”,” he says. “Yet still, many of the world’s largest websites continue to serve content over unencrypted connections, putting users at risk even when no sensitive data is involved.”
Hunt has launched a site called WhyNoHTTPS? that features a comprehensive listing of the world’s most popular websites that are not using it. The lists show that some of the biggest publishers in the USA and the UK are still to implement the necessary changes.
“Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome Security Product Manager.
Chrome’s “not secure” warning helps you understand when the connection to the site you’re on isn’t secure and, at the same time, motivates the site’s owner to improve the security of their site.
Why are sites being marked “not secure”?
Here’s a refresher from our earlier coverage.
If a website doesn’t start with https:// (i.e., with a reputable Secure Sockets Layer, or SSL certificate), Google’s new Chrome browser update has started showing a warning message to visitors, informing them that the site they’ve visited is not secure. Consequently, this affects the site’s trustworthiness and may drive some visitors away.
Pushing for encryption is not a new initiative. For years, Google has been calling for “HTTPS everywhere” on the web.
Just before the current version refresh, Google’s Chrome browser was in Version 67. In Chrome 68—that has just been rolled out now—the omnibox displays “Not secure” for all HTTP pages, like in the example below.
Eventually, Google will change the icon beside the “Not secure” label and highlight the text in red to further emphasize that user should not trust HTTP sites. Once this happens, publishers who are late in adopting the more secure HTTPS option will quite possibly see their audience count go south.
What is HTTPS, and why is it important?
HTTPS stands for ‘Hyper Text Transfer Protocol Secure,’ whereas HTTP stands for ‘HyperText Transfer Protocol.’ The difference, quite obviously, is about security.
HTTPS establishes an encrypted connection between a web browser and a server so that no malicious third party can eavesdrop and/or tamper with the data transmitted through the connection.
Simply speaking, when the transfer of sensitive details such as credit card details and passwords is concerned, HTTPS is of paramount importance. HTTPS encryption protects the channel between the browser and the website the user is visiting, ensuring no one in the middle can tamper with the traffic or spy on what the user is doing.
With HTTPS enabled, visitors get a constant, secure connection on every page of a publisher’s website. They can also see a green, closed padlock icon next to the website address in the browser, showing that their information is safe. This allows visitors to navigate the website and submit information through a secure connection.
Since Google’s initial announcement nearly two years ago, HTTPS usage has made considerable progress. Google found in their Transparency Report that:
- 76% of Chrome traffic on Android is now protected, up from 42%
- 85% of Chrome traffic on ChromeOS is now protected, up from 67%
- 83% of the top 100 sites on the web use HTTPS by default, up from 37%
In the beginning Google started by only marking pages without encryption that collect passwords and credit card info. Later they began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
“Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure,” according to the Google announcement.
“We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.”
In October’s version of Chrome (70), visitors will see a red “not secure” warning notification when they enter data on an HTTP page.
According to Emily Schechter, Chrome Security Product Manager, “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”
HTTPS has also become quite easy to implement via automated services like Let’s Encrypt, giving publishers even less of an excuse not to adopt it. Google has also suggested its own Lighthouse tool, which includes options for migrating a website to HTTPS.
The best part about having HTTPS implemented? It can help a websites load faster, and actually help more visitors find your site. Google earlier announced that SSL-secured websites would potentially enjoy a rankings boost in their search results.
So with the manifold benefits of privacy, data integrity, and protection against impersonation, not to mention better speed plus rankings boost, the decision to implement HTTPS is essentially a no-brainer for publishers still debating whether or not to go secure.