UPDATE: From October 2017 Chrome will begin flagging any page that has a text input field that a user interacts with, but isn't an HTTPS page, as 'not secure'. That means that any non-HTTPS page that features a search box, and that a user interacts with, with will be flagged as 'not secure' to the user - an update that will put at risk the reputation and conversions of any affected site.
TL/DR: The biggest browser in the world, Chrome, plans to flag all HTTP pages as ‘not secure’.
The web has changed a lot over the last couple of decades. However, two seemingly rare but distinct behaviours have remained: 1. People like to break things, the majority of the time just to prove that they can and 2. People like to listen in and steal your personal information. These two behaviours, when combined with the dramatic growth of online banking, online shopping and Wi-Fi hotspots, have created a toxic environment. An environment so full of security flaws that anyone with enough tenacity would need no more than a couple of hours to get insight into their neighbour’s browsing habits and login details.
The tech giants have been aware of these flaws for a long time which is why Netscape, back in 1995, developed the first version of HTTPS (SSL 2.0) to allow information across the web to be encrypted and be read only by those for whom the information was intended.
This was great. It allowed webmasters and developers to encrypt all the data between their servers and users. It allowed secure online banking, and it aided the growth of consumer confidence in online shopping. However, it also missed something. While it’s great to encrypt the sensitive parts of the web, what about the rest of the web: Your Google searches? Your chats on Facebook? Your browsing habits on Flickr? For the web to protect the security interests of all users, surely all communication across it needs to be secure? Google, Microsoft and Firefox have all been aware of this for some time and, over the past few years, have attempted to shift the web towards achieving it:
- Oct 2011: Google encrypted its search
- Nov 2013: Firefox announced HTTPS only implementation for HTTP/2
- Jun 2014: Google launched its ‘HTTPS Everywhere’ campaign
- Aug 2014: Google announced HTTPS as a ranking signal
- Dec 2014: Chromium team suggested HTTP pages should be flagged as such
- Jun 2015: Bing encrypted its search
- Dec 2015: Google announced the indexing of HTTPS pages as a default
- Mar 2016: Chrome debuts its DevTools security tab
And now, in September of 2016, Google gave this move another push by announcing that from January 2017, all HTTP pages that collect passwords or credit cards will be marked to users as ‘not secure’:
Google’s example of Chrome 56 flagging pages that collect passwords or credit cards as ‘not secure’
This is the first time Chrome will behave differently based on it believing a page should or should not be secure. For certain webmasters this will be infuriating, however it is a needed step forward in better securing the web.
Emily Schechter, the author of the announcement, continues by writing that this is
"part of a long-term plan to mark all HTTP sites as non-secure".
This is huge. Chrome, the browser with the biggest market share in the world, plans to not only flag the presence of HTTPS, but also flag the lack of it. And while this has been something the Chromium team has been toying with since 2014, it is the first announcement that this stance will come into fruition.
Google’s example of how Chrome will eventually flag all HTTP content as ‘not secure’
This will be the biggest push any tech giant has used in the move to HTTPS and is one that will force every online business, who wants to stay competitive, to switch its website to HTTPS.
So, do I need to go secure?
Yes. The biggest browser in the world plans to highlight to its users all pages that aren’t HTTPS. When this happens any HTTP website will be putting an automatic blocker in-between itself and its users, a blocker that screams ‘this site cannot be trusted’, and ultimately, a blocker that will only serve to damage conversions.
But my website doesn’t take payments so do I need to care?
Yes. Just because a website doesn’t deal with sensitive data, this doesn’t mean it can escape moving to HTTPS. For the web to protect the security interests of all users, all communication across it needs to be secure. By just securing the sensitive parts of the web, is in itself, a red flag to ill-intentioned users, therefore for the web to protect its users all communication across it will eventually need to be encrypted. Google knows this, and that is why even if your website is just a photography portfolio site, or a WordPress blog, you will need to eventually move to HTTPS.
When do I need to make my site secure?
Get started now. The sooner a website moves to HTTPS, the sooner marketing teams and webmasters can stop worrying about the move and focus on creating great experiences for their users.
It doesn’t matter what a website is for, who it targets, or what data it collects, to stay competitive it will eventually need to move to HTTPS. The future of the web is secure and moving to HTTPS will eventually become, not just nice to have, but a must have.
So finally, in the sharp words of Google’s Gary Illyes:
If you're an SEO and you're recommending against going HTTPS, you're wrong and you should feel bad.— Gary Illyes (@methode) August 18, 2015
Looking for help in moving to HTTPS? Get in touch and let us help guide you through.