Google Chrome and Firefox highlight unencrypted websites

Google and Mozilla are on a mission! Back in 2015, the companies behind the Chrome and Firefox web browsers came to the conclusion that all traffic through all websites should be encrypted.

Recent changes to their web browsers move them a step closer to that goal.

Background

Data sent to and from an encrypted page cannot be read by anyone intercepting the data en route whereas unencryped web pages can. An encrypted web page is usually identified by a padlock in the address bar:

Traditionally, encryption was always restricted to those web pages exchanging sensitive information (such as user id and password or credit card details); this was largely due to the fact that the overhead of encrypting and decrypting data slowed everything down too much. The conclusion reached by Google and Mozilla was that, with today's better CPUs, this was not as strong an argument as it used to be and that best practice would be for all pages to be encrypted, regardless of whether they are sending sensitive information.

Unfortunately, making every page on a website encrypted is not as easy as changing a configuration option on the server - every page needs checking to make sure that it doesn't try and load any assets (image, stylesheet, script, etc.) in an unencrypted manner. If it does, you will see the dreaded browser warnings about mixed secure and non-secure content:

How do Google & Mozilla intend to persuade website owners to encrypt their websites?

With recent updates to both Chrome and Firefox, web sites that do not use encryption throughout now show a grey exclamation mark where the padlock would normally appear. Clicking on the exclamation mark shows a message warning you that the site is not encrypted:

We expect future updates to the browsers will strengthen this message!

Do I have to do anything if my website shows this exclamation mark?

The simple answer is no - we believe that currently so many high-profile websites still do not encrypt every page that most users are so used to the exclamation mark that it is seen as normal.

In addition to the BBC website used in the example above, other examples of well-known websites that show an exclamation mark in Chrome and Firefox include:

The more complicated answer is that encrypting your entire website is now considered best practice and all new websites built by axisfirst since Spring 2016 have been designed to operate in this mode. We also expect that browsers will, at some point in the future, start displaying messages that are more obviously a warning and less just for information. Google also announced that it will give some preference to encrypted sites in its search results. How much preference is, as always, a closely guarded secret but it is generally believed that it is a smaller contributory factor to search engine optimisation than having a mobile-friendly website.

Retro-fitting this mode of operation to an existing website may be straightforward but may not - depending on its age and a number of factors such as how images have been added via the Content Management System (CMS). If you would like to address this with your website, please contact your account manager or the Web Support team.