If you’re still running a website that is using insecure HTTP then it’s probably too late.
Some of your website’s visitors are going to be greeted with a message that tells them that they can’t trust your website to be secure.
That’s the message they’re going to get from Google Chrome which – in version 68 released on Tuesday 24 July 2018 – is changing its behaviour, and will start labelling all sites that continue to use unencrypted HTTP as “not secure”.
And as Chrome is the world’s most widely-used browser, that’s an awful lot of visitors who might feel unsettled visiting your website from Tuesday.
It’s not as though website administrators haven’t been given fair warning. The Chrome browser has been marking HTTP webpages that ask for passwords or payment card details as not secure since early last year.
And in February, Google confirmed that with the release of Chrome 68 this month it would “mark all HTTP sites as “not secure”.”
HTTPS is good for your website visitors, and it’s good for your website.
Enabling HTTPS stops your webpages from being tampered with in transit, and stops anyone from snooping on the data that your users might be sending to your website. And, if you need any more convincing, Google has indicated that if your website has HTTPS that’s going to help your search ranking too.
And HTTPS doesn’t have to cost you anything. The LetsEncrypt initiative lets anyone who owns a domain name obtain a trusted certificate at no cost. If LetsEncrypt is too nerdy for you, you might be able to use the likes of Cloudflare’s free plan to get that all-important HTTPS in your URL.
Security expert Troy Hunt has created a simple website entitled (appropriately) httpsiseasy.com which can walk you through the process of setting up with Cloudflare.
There are going to be some website owners who are going to be pretty upset about Chrome telling their users that their websites are “not secure”. They may even be some regular internet users who are upset too.
But this is an important step in the journey of making the internet a safer, more secure place. Going forward, encryption should be the default, not the exception.
Listen to more discussion about this topic in this episode of the “Smashing Security” podcast:
Smashing Security #088: 'PayPal’s Venmo app even makes your drug purchases public'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Google Chrome users met with ‘Not secure’ warnings when visiting HTTP sites”
One thing the article doesn't address is Google's reasoning behind this, which I think is sound. People don't react the same way to a positive identifier – that of something being present – as they do to a negative identifier – that of something missing. People are more likely to notice and take action if you tell them something that *should* be there is missing. Then there's the more philosophical angle – serving a site over HTTPS isn't really a guarantee that's a site is "secure", since phishing sites can easily get a DV certificate through Let's Encrypt. Conversely, not having HTTPS *does* mean the site is insecure, since it's vulnerable in that state.
"Tuesday 23 July 2018" is a typo: We've got Monday 23 July 2018 & Tuesday 24 July 2018.
Thanks for the correction. Tuesday 24 July 2018 is correct – which is today! :)
It isn't bad enough Google reads your email now they censor what sites you can see!
They are an Ad agency the internet's self-appointed policeman.
For god's sake, please spare us the hubris of Google, not all sites need security, many don't sell things, have login, collect data, take payments or are socially connected.
Thanks Graham for keeping us informed.
I don't think it's fair to describe what Google is doing as censorship.
This change in functionality within Google Chrome doesn't stop you from visiting any websites. It *does* inform you if the website you're visiting hasn't taken the sensible step of using HTTPS (which is good for both the website owner, and the website visitor).
It’s a mistake to think that the only sites that need HTTPS are those which you log into or ask for personal information.
Lets put it another way.
I walk into a bar which has a smoking allowed policy, I climb up to the bar, and order a pint of double chocolate, and then light up. The bully at the end of the bar says "Put that out or I will come over and put it out for you."
I do not put it out, so he comes over, grabs my Macanudo, drops it to the floor, stomps on it, and yells to everyone in the bar."This jerk is smoking, it's bad for you and I am protecting you."
Does his earlier warning that he would do that, make it right?
We may all agree that having encryption is a good thing, I certainly do, but having a bully wiping out my $7 Macanudo or blocking a site I wish to view, regardless of the risk, is not acceptable behavior.
It is internet bullying by the biggest bully on the internet.
To be clear, Google isn't blocking sites that don't use HTTPS.
With respect, I disagree. But this isn't the place to have that discussion.
Thanks for posting and responding.
Keep up the good work.