Calling out websites that do not provide adequate connection security is just one of Google’s recent efforts to move towards a more secure web, and ultimately to improve the user experience of a tool that’s now actively used by billions of people worldwide.
When users can enter any kind of data on pages that use the HTTP protocol, Google Chrome will now display a “Not secure” warning next to the address bar. This latest update follows Google’s recent amendment to the way Chrome handles insecure connections for data processing.
In January 2017, Google publicly started its quest to greatly improve how Chrome indicates the connection security of certain websites. HTTP pages that used password or credit card form fields were shown to be “Not secure”. This was deemed good practice by Google to protect the sensitive data of web users. No longer! Google now deems any personal data worthy of protection – quite right!
Since October 2017, Chrome has been displaying clearly the “Not secure” warning on pages where users enter any kind of data and on all pages visited in Incognito mode. Starting in Chrome version 62 users will see the warning whenever they type data into HTTP sites.
Why are they doing this?
Mostly because it’s sensible and is the logical next step in ‘securing’ the web. HTTPS is by no means the only solution out there, and it only protects against certain types of attacks, but it still helps. On the other hand, serving pages over HTTP allows anyone on the transport layer to do whatever they want with your site – sometimes injecting unwanted or malicious ads into the content of your pages.
With that stark warning in mind, here are the principal reasons why we should be glad of HTTPS
- It protects the integrity of your website by default
- You can protect the security and privacy of your user
- It’s good for search – with HTTPS (probably) giving an extra boost to websites in search ranking
- Better referral data for your analytics – referral data is removed when traffic passes from a secure page to a non-secure page, but it is preserved when traffic passes to a secure HTTPS site
- HTTP will turn a neutral user experience into a negative by actively alerting users to the risks of entering data into your unsecure site.
Why all the fuss?
Let’s be clear, HTTPS is not a guarantee of all-round security. HTTPS uses encryption to ensure that the data transmitted from browser to website server is hidden. That means that any data exchanged between the two is invisible to anyone that happens to have access to your network.
These days, without HTTPS, it’s easy to snoop around a network looking for unsecure connections. Remember, things can even be inferred from your browsing behaviour that paint a pretty picture of your online identity. You wouldn’t actively reveal parts of your personal life to people you don’t know, so there’s no reason your data shouldn’t be guarded when you go online.
What HTTPS does denote is three main security ‘properties’:
It proves who you are talking to is who you expect to be talking to.
It’s a guarantee that your browser is talking to the real website server and that only those parties can read your data
It’s a guarantee that when the browser and the server send data from one to the other, the data they receive is what the other party has sent or received.
It’s not just Google to press users for HTTPS – Firefox and Bing have already announced plans to phase out non-secure HTTP, agreeing broadly that HTTPS is the way forward for the web.
So it’s no longer a case of choosing whether websites are ‘important’ enough for HTTPS, it has clearly become a standard. That’s why you need to have have taken steps to migrate your website.
If HTTPS is still on your to-do list, make it a priority. Data on the web should be protected from snooping and tampering from the very beginning, by design. That’s what we get from HTTPS. It’s here to stay.