Latest News

Will Chrome mark your website as insecure?

Heather

You might be relatively familiar with web addresses that start with http:// and https://, and you’re probably also aware that the HTTPS variety is the secure one. Basically all this means is that when a visitor sends or receives any information to or from the website (e.g. if they log in or fill out a contact form), if your website has HTTPS their information is transmitted securely. If not, it isn’t.

Emily Schechter of the Google Chrome Security Team recently published a blog outlining Google’s plans to start marking HTTP connections as ‘non-secure’ in Google Chrome. Currently, HTTPS connections are marked as secure, but HTTP connections are not explicitly marked with anything, which can make users complacent about entering their information.

Chrome is by far and away the most popular browser, currently used by around 40% of all UK users, and 55% of desktop and laptop users, and its popularity for desktop and laptops continues to grow. This means that any changes that affect Google Chrome will immediately affect a very large chunk of your website’s users.

Starting January 2017, HTTP sites that transmit passwords or credit card details will show a “non-secure” warning in Google Chrome. If this describes your website, you need to ensure you make the switch to HTTPS as soon as possible. (If you’re not sure how, we can probably help!)

In following releases, all pages loading over HTTP will be labelled as “not secure” when using incognito (or private browsing) mode. Eventually, all HTTP pages will be labelled as non-secure, showing a red warning triangle and the words “not secure”.

There is a risk that users will perceive websites displaying these warnings to be “broken” or “dangerous”, so we’re currently working with all of our clients make the switch to HTTPS. In fact, all new website projects which we undertake will now include HTTPS for the first year as standard.

How can we make our website secure?

All you need is an SSL certificate, and if you’re using our website hosting, we can set one up for you. When we set a basic SSL certificate up, we will use a free certificate authority, so the only cost is our time to set it up for you.

If you have higher security requirements, for example if your website transmits passwords or credit card details, we would recommend using a certificate authority which performs some basic checks on your company when you purchase a certificate through them. Typically, the certificate authority will verify your company details against Companies House, and check your supplied address. This increases user confidence in your certificate and your website’s credibility. These certificates also include warranties which protect you in the unlikely event that a customer’s details are stolen as a result of a weakness in the SSL certificate itself.

If your website handles highly sensitive information, we recommend purchasing an Extended Validation certificate, like the one our website uses. This typically displays a big green bar with your company name in the browser’s address bar. These certificates involve much more stringent checks being performed by the issuing authority to verify your company details. The exact requirements and checks for these vary and are kept secret to prevent people trying to cheat the system, but they often involve a site visit and phone calls to both the provided phone number and any other publicly posted phone numbers for your company.

What’s the difference between HTTP and HTTPS anyway?

HTTP leaves your website’s communications with its users vulnerable to eavesdroppers. HTTP is like sending information back and forth on postcards. Someone can easily intercept the postcards in both directions and see the entire conversation without either party involved being any the wiser.

HTTPS encrypts the information sent both ways. The information is encrypted using an SSL certificate which is issued by a trusted Certificate Authority (CA). This gives our eavesdropper a much harder time since they do not have the private key to unencrypt the information.

Does HTTPS have any benefits other than security?

Yes! A couple of years ago, Google began to update their search algorithm to prefer sites using HTTPS, since those sites tend to be more reputable and are more likely to contain information useful to the user.

Additionally, you might not realise it’s also quicker than HTTP. Modern browsers implement a standard called HTTP/2 which actually loads pages over HTTPS much faster than it’s possible to load them over HTTP - you can prove this for yourself using this test page: http://www.httpvshttps.com/

Jargon explained

  • HTTP is the HyperText Transfer Protocol, it’s the method used to send information about web pages between your computer, phone, or tablet, and a website hosting server.
  • In HTTPS, the S stands for Secure. All data sent between the user and the server is encrypted.
  • SSL stands for Secure Sockets Layer – this is the name for the method that HTTPS uses to secure its communications. This is actually an outdated term, and TLS (Transport Layer Security) is the name for the current method used. However, both TLS and SSL are colloquially referred to as SSL, even though they have different technical definitions.
  • An SSL Certificate (also referred to as a TLS certificate) is used to encrypt communications between two computers or devices. One of the computers, the website server in the case of websites, has a private key known only to itself. The other device uses the public key, which is freely sent by the server, to encrypt its messages. Once encrypted, the private key is required to unencrypt the messages.
  • A Certificate Authority (CA) is a trusted organisation which can issue SSL certificates. When a user visits a web page that uses an SSL certificate, the web browser will check that the SSL certificate has been issued by a trusted CA, and will usually show the user a warning screen before proceeding if it is not.
Will Chrome mark your website as insecure?

... any changes that affect Google Chrome will immediately affect a very large chunk of your website’s users.

Eventually, all HTTP pages will be labelled as non-secure, showing a red warning triangle and the words “not secure”.

If your website handles highly sensitive information, we recommend purchasing an Extended Validation certificate, like the one our website uses.

HTTP leaves your website’s communications with its users vulnerable to eavesdroppers... HTTPS encrypts the information sent both ways.

Modern browsers implement a standard called HTTP/2 which actually loads pages over HTTPS much faster than it’s possible to load them over HTTP.

We’d love to show you what we can do