Google applies further pressure on unencrypted websites
18 August 2017
Google are planning to roll out the next phase in their plan to push all websites to use encrypted traffic throughout.
In April, we published a news story Google Chrome and Firefox highlight unencrypted websites explaining how Google and Mozilla wanted all websites to be encrypted throughout (running in https mode instead of http).
Version 62 of Google Chrome, due for release in October, will go further by highlighting http web pages that submit text data of any kind as not secure, as illustrated by Google's own explanatory graphic below:
There are two particular points to note here:
When the page loads, the address bar will look exactly as it does at the moment and only when the user starts entering text into a web page will it change to show the "Not secure" label.
The significant change is that this will apply to any page that allows entry of data - for a significant number of websites, this may affect every page simply because every page features a search box!
Do I have to do anything?
Building websites to always run in encrypted mode has been standard only since early 2016 and older sites will generally only switch to encrypted mode when transmitting sensitive information (such as a login user id or password). This was normal practice.
Our April newsletter highlighted a number of well-known websites that were not running with always-on encryption; since that time, only one (BBC) has changed to force encryption.
Google is only one producer of web browsers (albeit a well-known one) and it remains to be seen how much effect this most recent announcement will have. With a significant number of leading websites not running throughout in secure mode, it is likely that most users will be so used to seeing the "Not secure" message that they will ignore it unless entering sensitive information (when all sites should be in secure mode anyway).
We do, however, strongly recommend that you do move to an always-on encryption mode for your website, if you do not already do so.
As highlighted in our previous news story, however, this is not necessarily straightforward, as it depends on a number of factors, such as the age of the site and how you have added in content (such as images and video) via the CMS.
For further information please visit https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html