Google Now Requires Secure Websites. Oh, and so does Apple. Google Chrome and Safari block websites that are not secure.

Well, technically you can get away without having a secure site but the warnings are obnoxious and fewer visitors are guaranteed. Years ago, Google embraced secure sites and promised to shame websites that were not secure.

What does “secure” really mean? Simply put, your site resolves with https rather than http. An encrypted SSL Certificate (Secure Sockets Layer), also called a Digital Certificate, creates a secure link between a website and a visitor’s browser. Secure links are good for everyone and help increase the trust that you are connecting with and communicating with a known entity. “Encryption is something that web users should expect by default,” says Chrome security product manager Emily Schechter.

In March 2018 Google started marking sites not secure. With this update, the Google Chrome browser shows the “not secure” warning in the address bar. But it is not just  Google! Safari issues a big warning as well.

http 1

As enhancements are made to Chrome the warnings will become more severe. For example, in October 2018 the warning will be in red when data is entered on the page.

http 2

No matter the warning, as users browse with updated browsers they will become more aware of security. It is safe to expect non-secure sites will see a reduction in traffic too. If your site is not secure yet we can help you fix it. Just let us know and we can take a look and give you an estimate of what is required. Some sites are easier than others and some web hosting companies are easier than others.

 

Sources

  • Avoiding the Not Secure Warning in Chrome  |  Web  |  Google Developers (developers.google.com)
  • What is the Google Chrome “Not Secure” Warning? (ltnow.com)
  • Chrome’s Non HTTPS Not Secure Warning – What You Need to Know (r-rwebdesign.com)
  • Google emails warnings to webmasters that Chrome will mark http pages with forms as ‘not secure’ (searchengineland.com)
  • Google’s Chrome will add new ‘Not secure’ warnings later this year (marketingland.com)
  • Chrome: Enable/Disable “Not Secure” Warning (technipages.com)
  • Google Chrome users met with ‘Not secure’ warnings when visiting HTTP sites (grahamcluley.com)
  • Chrome to Add Security Warning to HTTP Sites Beginning 2017 (wptavern.com)
  • Here’s why Chrome has started showing ‘not secure’ warnings on lots of websites (cnet.com)
  • A milestone for Chrome security: marking HTTP as “not secure” (blog.google)

HTTP

  • Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTP S as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users. (blog.google)
  • More encrypted connections, more security When you load a website over plain HTTP , your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site. (blog.google)

Google

  • Making encryption easy If you’re a site owner looking to migrate (or build!) your site on HTTPS, we’ve helped make the process as simple and inexpensive as possible. Improvements include managed HTTPS for Google App Engine, required and automatic HTTPS on all .app domains, and free and automated certificates through Let’s Encrypt (Chrome is a Platinum sponsor). And if you’re in the process of migrating to HTTPS, look out for messages coming from Search Console with further information and guidance. (blog.google)
  • Enabling stops your webpages from being tampered with in transit, and stops anyone from snooping on the data that your users might be sending to your website. And, if you need any more convincing, Google has indicated that if your website has that’s going to help your search ranking too. (grahamcluley.com)

Google Chrome

  • Changing the Google Chrome security warning to something more obvious serves two purposes. First, the image change wakes up that area of the brain that’s (likely) been ignoring the symbol in the address bar. Secondly, adding words to the new symbol further engages the brain to recognize the message. (ltnow.com)

Credit Card

  • In addition to credit card information and login forms, there could be other sensitive information collected on online forms. For example, if you have an online form on your site that collects sensitive information like the user’s birth date, mother’s maiden name, and more, you should be concerned about eavesdroppers. Having an SSL secured page would protect those filling out that form from unwanted eyes. (r-rwebdesign.com)
  • We knew that rolling out the warning to all HTTP pages would take some time, so we started by only marking pages without encryption that collect passwords and credit card info. Then we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode. (blog.google)

Incognito Mode

  • Chrome version 62 will show a “NOT SECURE” warning for any type of text input fields on web pages. This includes online forms and search text input, and for all pages when viewed in Incognito mode . (r-rwebdesign.com)

Address Bar

  • Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information. (cnet.com)
  • Chrome’s latest update (aka Chrome 56) is marked with a number of changes and features designed to improve the search experience for all users. The backside of this update is interesting mostly to web developers, but the general public benefits from it, too. One of the more obvious changes is the icon found in the address bar that indicates site security. (ltnow.com)

Chrome

  • You may not have paid much attention to it before, but the symbol just to the left of the website address gives you an indication of just how secure a particular site is. In previous versions of Chrome , this symbol might have been a green lock, a yellow warning triangle, or a lock with a red X on it. As it turns out, humans are pretty good at symbol reading, but not so great at interpreting these symbols after a while. (ltnow.com)
  • Chrome ’s “not secure” warning helps you understand when the connection to the site you’re on isn’t secure and, at the same time, motivates the site’s owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress. We’ve found in our Transparency Report that: (blog.google)

Cloudflare

  • “Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare , a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.” (cnet.com)
  • “This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare ‘s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.” (cnet.com)

Twitter

  • Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter , Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway. (cnet.com)
  • If you are not familiar with HTTPS, you may have seen it in action and not noticed it. For example, your bank’s website, Gmail, Facebook, and Twitter all use HTTPS. In essence, HTTPS protects the integrity and confidentiality of users’ data. (r-rwebdesign.com)

Personal Information

  • “This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday. (cnet.com)

Statistics

  • At the time of this testing, it was estimated that less than 1% of sites used HTTPS. (ltnow.com)
  • Fast forward two years later and the number has grown to slightly more than 30%. (ltnow.com)
  • Web security will always be an important topic for Google, and the 30% HTTPS adoption rate is an indication that webmasters are listening. (ltnow.com)
  • But let’s not forget, there are nearly 70% of sites still not using HTTPS. (ltnow.com)
  • According to the StatCounter Global Stats for desktop, mobile, tablet, and consoles, 53.92% of the global population used Chrome as their browser from April to June 2017. (r-rwebdesign.com)
  • It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015. (cnet.com)
  • It took NASA months to update its 3,000 websites to 95 percent HTTPS. (cnet.com)
  • The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today. (cnet.com)
  • And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study. (cnet.com)
  • 76 percent of Chrome traffic on Android is now protected, up from 42 percent (blog.google)
  • 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent (blog.google)

Summaries

Avoiding the Not Secure Warning in Chrome  |  Web  |  Google Developers (developers.google.com)

  • “Chrome will soon mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar.”

What is the Google Chrome “Not Secure” Warning? (ltnow.com)

  • The Google Chrome security warning is undergoing a series of changes.
  • Late last year, Google announced they were changing the way their browser indicated the relative security of a website.
  • One of the more obvious changes is the icon found in the address bar that indicates site security.
  • Changing the Google Chrome security warning to something more obvious serves two purposes.

Chrome’s Non HTTPS Not Secure Warning – What You Need to Know (r-rwebdesign.com)

  • With version 56, websites that collect credit card information and have password input forms that do not have an SSL certificate installed that enables HTTPS were marked not secure.
  • For example, if you have a WordPress membership area where users need to enter a password, the page with the login will have the warning if a SSL certificate / HTTPS is not enabled.
  • In addition, FireFox also started showing warnings in the address bar in January 2017 with Firefox 51 for web pages that have password logins and do not have HTTPS.
  • Eventually, all pages will show the strike-through lock icon warning in future versions of Firefox for any page that does not utilize HTTPS.
  • In addition to credit card information and login forms, there could be other sensitive information collected on online forms.

Google emails warnings to webmasters that Chrome will mark http pages with forms as ‘not secure’ (searchengineland.com)

  • Have forms, login fields and other input sections on your HTTP website? Chrome is going to mark them as not secure.

Google’s Chrome will add new ‘Not secure’ warnings later this year (marketingland.com)

  • Have a search box or form on your website that runs over HTTP? You might want to switch your pages over to HTTPS by October.

Chrome: Enable/Disable “Not Secure” Warning (technipages.com)

  • Google Chrome now warns users if they are visiting a page that is not protected via HTTPS as “Not Secure”. If you don’t like this behavior, you can disable it with the following s…

Google Chrome users met with ‘Not secure’ warnings when visiting HTTP sites (grahamcluley.com)

  • If you’re still running a website that is using insecure HTTP then it’s probably too late.
  • Some of your website’s visitors are going to be greeted with a message that tells them that they can’t trust your website to be secure.
  • It’s not as though website administrators haven’t been given fair warning. is good for your website visitors, and it’s good for your website.
  • Enabling stops your webpages from being tampered with in transit, and stops anyone from snooping on the data that your users might be sending to your website.

Chrome to Add Security Warning to HTTP Sites Beginning 2017 (wptavern.com)

  • The Google Chrome Security team announced yesterday the browser will begin labeling HTTP connections as insecure starting in January 2017.
  • The announcement cited a study on connection security indicators that showed users do not perceive the lack of a green lock icon as a warning that a site is not secure and can become blind to warnings they see too frequently.
  • Chrome 56 will be the first release that labels HTTP pages with password or credit card form fields as insecure.

Here’s why Chrome has started showing ‘not secure’ warnings on lots of websites (cnet.com)

  • HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
  • It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
  • Instead you’ll see a less noticeable black lock, Google said in a May blog post.
  • The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
  • Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
  • In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others.

A milestone for Chrome security: marking HTTP as “not secure” (blog.google)

  • More encrypted connections, more security When you load a website over plain HTTP, your connection to the site is not encrypted.
  • We knew that rolling out the warning to all HTTP pages would take some time, so we started by only marking pages without encryption that collect passwords and credit card info.
  • Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure.
  • So when you’re shopping for concert tickets or online banking, rest assured: you’ll be warned if a site is not protecting your data with HTTPS.

Links

cnet.com

  • https://www.cnet.com/news/tim-berners-lee-on-its-25th-anniversary-the-web-still-needs-work-q-a/
  • https://www.cnet.com/tags/edward-snowden/
  • https://www.cnet.com/news/facebook-cambridge-analytica-data-mining-and-trump-what-you-need-to-know/
  • https://www.cnet.com/news/google-io-by-the-numbers-1b-android-users-900m-on-gmail/
  • https://www.cnet.com/news/how-startup-github-survived-a-massive-five-day-network-attack-q-a/

ltnow.com

  • https://www.ltnow.com/https-ranking-factor/
  • https://www.ltnow.com/how-to-make-my-website-https/
  • https://www.ltnow.com/contact/
  • https://www.ltnow.com/web/hosting/

developers.google.com

  • https://developers.google.com/web/
  • https://developers.google.com/web/updates/2015/06/checkout-faster-with-autofill
  • https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

blog.chromium.org

  • https://blog.chromium.org/2016/12/chrome-56-beta-not-secure-warning-web.html
  • https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html
  • https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html

blog.google

  • https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/
  • https://www.blog.google/products/chrome/reflecting-years-worth-chrome-security-improvements/
  • https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/

security.googleblog.com

  • https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
  • https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

r-rwebdesign.com

  • https://r-rwebdesign.com/googles-new-https-ranking-signal-ugly-truth-need-know
  • https://r-rwebdesign.com/contact

g.co

  • https://g.co/https

support.google.com

  • https://support.google.com/chrome/answer/95617?hl=en

safaribooksonline.com

  • https://www.safaribooksonline.com/library/view/your-brain-the/9780596517786/ch04s06.html