Article
HTTP vs. HTTPS: Understanding Security Warnings in Google Chrome
Starting in October 2017, the Google Chrome browser will show a "Not Secure" warning on any web page that has an input field and is served over HTTP instead of HTTPS. Even a basic site search field will trigger this warning when served over HTTP. Most websites across the internet will be affected.
This security warning is part of a larger initiative from Google to push the web toward HTTPS. All web pages must eventually be migrated or suffer the security warning. Google has yet to announce a date, but we estimate this final push will happen late 2018. For now, we only need to worry about pages with input fields.
What is HTTPS?
By default, when a request is made from a browser to a web server it is done via HTTP (notice the absence of the "s"). The body of the request and response are sent in plain text and anyone with access to the data packets can read the body of both. To hide that data, an SSL certificate can be installed on the server. This certificate serves two purposes. First, it encrypts data being transmitted between the server and the client. Second, it verifies the identity of the website you’re visiting. That encrypted traffic from the trusted source (your website) is sent over HTTPS. The image below shows what your website visitors will see if your site isn't secure following Google Chrome's update.
It is helpful to understand this is not new and nothing has changed with how pages are served. Your website has not suddenly become less secure. Google is simply making an effort to encourage all website owners to take steps that will improve the security of the web. This effort on Google's part has been ongoing and they are taking increasingly bold steps to make it happen.
What we are most concerned with is how this new label will reflect on you and your brand. The label "Not Secure" will undermine the trust we seek to establish between our clients and their stakeholders.
Why is Google doing this?
They are working to make the internet a safer place. Unencrypted web traffic can be monitored by a peer on the network (i.e. a poorly configured public hotspot) or via a man-in-the-middle attack. That's why most sites where you expect your personal data to be protected already use HTTPS*. There is, however, a large number of sites where you might expect web surfing to be private, but it is not. For example, that search you did at WebMD.com about that thing that you’re not comfortable talking to your doctor about – definitely not encrypted (as of August 2017 – hopefully, this Google push will change that).
The scenarios get a lot scarier when you consider those modern browsers are much more than HTML viewers. For example, when geolocation services are enabled for a website, that site is able to pinpoint your location. Visit that site frequently enough and it can know where you work, where you live, where you like to eat lunch on Fridays, where your kids go to school, etc. You absolutely want that information to be kept confidential in all situations.
What will it cost?
It depends (I bet you knew I was going to say that).
If you don't already have a certificate for your website's domain or a wildcard certificate for your primary domain, you will likely need to pay a certificate authority (pricing varies). Network Solutions and GoDaddy are popular and easy to use providers. There are free providers, but unless IT is your full-time job you probably have better uses for your time.
As for our fees, if all you need is a CSR (Certificate Signing Request) and installation of the SSL certificate that you provide, that would be two separate, fifteen-minute tasks.
If you don’t have resources that can procure a certificate, please contact us at [email protected] to see how we can help.
Those are the core tasks but here are some special cases that could require more intervention:
If you are using 3rd party content on your website that is not served via HTTPS, then we will need to work with your content provider to ensure that we can get that content via HTTPS. This could be easy or hard depending on what the content provider is ready to handle. Those tasks will have to be estimated on a case-by-case basis.
Other Common Questions
Q: My company uses Internet Explorer, so can we ignore this?
A: No. It's your website visitors that we are concerned with. Chrome currently holds the largest market share and it is reasonable to expect that other browser vendors will follow suit.
Q: Will my website be down while we make this change?
A: No, not at all.
Q: I keep hearing about how not using HTTPS will cause my Google search rankings to drop. Is this the same issue?
A: No, but they are both parts of the larger initiative at Google to nudge the web to be more secure. The consideration of HTTPS as a small, positive ranking factor was one of Google's first steps in that direction.
Q: We recently had to change our SAM login URL. Is this the same issue?
A: No, but they are both parts of the larger initiative at Google to nudge the web to be more secure. The changes to your SAM URL were a result of Google's change to show a security warning any time a password field was presented.
Q: Will my website run slower?
A: Marginally.
Q: Will I need a bigger web server?
A: It's unlikely but possible. If you are already on the edge this might push you over.
Next Steps
If you have any questions or need help securing your site, please send us an email at [email protected] or call us.