Google Chrome, HTTPS, and the HTTP Purge

Are you browsing a website on Chrome? Head to your website and check out the address bar. If you’re a business, ideally your IT people have already switched over your site from HTTP to HTTPS, given you the nice green lock icon and a ‘Secure’ statement. If they haven’t, or if you have no IT people, chances are your website either has a “!” mark or it’s already been marked “Not Secure”. Once Chrome version 68 comes online, all non-HTTPS sites will be marked “Not Secure”. The Register has already called it the “looming Google Chrome HTTPS certificate apocalypse”:

Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.

Thanks to a decision by Google to stop trusting Symantec-issued SSL/TLS certs, Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 may be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.

But wait, you might say. I don’t use Syman-whatsits. I don’t even use Chrome, I’m a diehard Mozilla/Internet Explorer/Safari user. If you’re using Firefox/Mozilla, good for you, it’s apparently faster and more secure than Chrome, but its low integration with Tweetdeck tanked it for us. Like Google, Mozilla has already been pushing people towards HTTPS for a while: all new Firefox features in 2018 will only work with HTTPS. If you’re using IE or Safari… eh… sure… but HTTPS websites are also visibly marked secure on those address bars. Inaction will still hurt your website even if you can’t see its immediate effect. It will affect your SEO (Search Engine Optimisation) — you will rank lower on search engines and receive fewer visitors to your website.

Hang On, Slow Down, What Even Is All This?

HTTP stands for Hyper Text Transfer Protocol, and the ‘S’ at the end of HTTPS just stands for Secure. It means all communications between the site and the browser are encrypted, protecting sensitive data such as online banking and forms. Initiating a HTTPS connection to the website gets the website to send you its SSL certificate, a public key that allows you to begin a secure session with the website. Think of it as heading into a bank to talk to a banker. Instead of talking to the banker out in the lobby of the bank, you get a key for a secure meeting room where you can talk about your financial matters/health issues/your dog in relative security.

Benefits of having HTTPS certification include:

  • Customer info is encrypted and can’t be intercepted (between the browser and the website).
  • Visitors can see that you’re a registered business and own the domain.
  • Visitors are more likely to feel that you’re a trustworthy business.
  • It’s good for the health of the internet in general.

Visiting only HTTPS websites does NOT mean that people can’t get scammed online:

  • Yes, nefarious websites can also acquire a HTTPS certificate. In the words of the Mozilla blog, the job of HTTPS is to provide you with a secure line. It doesn’t ensure that you’re not talking to crooks with the line. As a business, this means having to be actively conscious of the possibility that people might be using phishing to mimic your site to trick your customers.
  • HTTPS certification helps prevent people from seeing what info you submit to a website. There are other ways that attackers can use to gain private information: keyloggers, for example, are malicious software that log every key that you make on a keyboard, then email that information to a hacker. And of course, hackers routinely hack customer databases such as Sony’s and Adobe’s to acquire data like passwords and credit card details.

So What’s Happening?

Many sites have been migrating to HTTPS over time. Chrome’s deadline came about because they think that by July, a sufficient majority of websites would have moved over, enough that they can brand all remaining HTTP sites.

Google and Mozilla have already been trying to nudge people from unencrypted sites for years. Remember clicking through to a site and then running head-first into a “You’re About to Enter a Not Secure Website Error Error Are You Seriously Going to Do This” kind of page? Scary, right? I’ve left sites before instead of heading through. That happened because of the stoush between Google and Symantec (check out the Register’s article above if you’re curious) which resulted in Symantec selling off their SSL certificate business.

Let’s Encrypt and Other Solutions

Your hosting provider might already have an inbuilt solution on hand — contact them if you have any questions. If they don’t, you’d have to get a SSL certificate from an authority. You can get ones for free from Let’s Encrypt. There are instructions for installation in that link, as well as a list of hosting providers which are Let’s Encrypt compatible. For those that aren’t, you could either choose to live with HTTP or try to do it manually. Need to know more? We’re happy to chat.

Scroll to Top