Google has started phase two of its plan to label all HTTP pages as “non-secure.”
On Google’s official blog, they wrote the following:
“Any information that any user type into websites should not be accessible to others individuals on the network. So, beginning in version 62 Chrome will show the “Not secure” warning notification whenever users type data into HTTP sites.
Any data would include the following:
- Search fields;
- All comment boxes: including Name, website, email address, and comment;
- All other forms, such as contact forms, forms that capture details for mailing lists, forms to enter giveaways
- Anywhere else that you can imagine, where a user can key in something on your website. Moreover, that information transmits data to your server or any other server that collects the information.
- If your page has any of the above, visitors will see a “Not secure” warning.”
Last September 2016, Google first stated the “Not secure” notification would come in January 2017. It had been applied to any site that required passwords or collect credit card information. We have also known for some time that Google would extend this warning. Google has been very clear about the desire to make the internet a more private and secure place.
October 2017 marked stage two of Google’s plan to label all HTTP pages as ‘Not secure’ in Chrome. Last January 2017, Google began to tag some web pages in HTTP as ‘non-secure.’ It all transpired simultaneously with the release of Chrome 56. This phase impacted numerous pages that transmit sensitive information such as login and payment-card data on the internet.
The not-secure label meant that data exchange happens on an unencrypted and unsecured connection. HTTPS, on the other hand, is the secure version of HTTP. It offers better protection against individuals on the same network viewing or changing the traffic. More commonly recognized as a man-in-the-middle attack.
Google Chrome now tags HTTP pages as insecure if users can enter any information. Google highlights this will take effect to any page with a search box.
Emily Schechter, a Chrome Security Team product manager, stated that “any data that users key in into sites should not be accessible to others on the network. So, beginning in Chrome’s version 62, it will show the ‘Not secure’ notice whenever users type data into HTTP sites.”
The heightened warnings for HTTP pages added pressure to site owners to obtain the required SSL/TLS certificates and setup HTTPS on their web servers. Additionally, Notifications for any user-input field casted a wider net than log-in and payment pages. It is with the number of sites with a search box.
Mozilla Firefox makers did not comment on whether or not it will follow Chrome’s move. However, Firefox also began displaying ‘in-context’ notifications for payment and login pages. One site owner discovered the consequences of not enabling HTTPS on payment and login pages. Moreover, amusingly, filed a bug report to Mozilla asking to remove the warnings.
Chrome 62 includes warnings for all HTTP pages even when the user opts for Chrome’s Incognito mode.
Whenever users browse using Chrome with Incognito mode, they likely have high expectations of privacy. However, HTTP browsing is not private to other individuals on the network. An SSL certificate provides security by creating a secret handshake between the visitor and the server. Even now, your ISP will still be able to tell which domains you visit. So, in version 62, Google Chrome would also notify users when visiting an HTTP page in Incognito mode. With it, once you go and visit a secured website, your ISP cannot get information on specific pages you visit. It is because your digital footprint is now encrypted.
Chrome now displays ‘Not secure’ in red. The other reason why Google is pulling the web towards HTTPS is for our own good too. It is to promote its push for developers to embrace progressive web apps through JavaScript ‘service workers’.
Additionally, according to Google’s HTTP Transparency Report, people view more than half of all websites over HTTPS on the desktop. For Chrome iOS, 71% of pages are loaded over HTTPS, while 58% are for Chrome on Windows. While it’s more common for sites to enable HTTPS, dozens of the world’s most popular sites still have not.
Ways to Avoid the Not-Secure Notification in Chrome for WordPress
Presumably, the first step to aid you to circumvent the Not-Secure notification in Chrome is to have your website migrated to HTTPS.
Migrating all your web pages over HTTPS will not trigger any Not-Secure notification, it will ensure that it is future proof. Versus the Red Flag notifications evidently coming for all non-HTTPs websites on the internet.
To move your websites to HTTPS, you will need to obtain an SSL certificate for your website.
There are three different levels of SSL certificates you can choose from, depending on your needs. They are:
-
Domain Validation
-
Organization Validation
-
Extended Validation
The most affordable, and often, the free option is to obtain Domain-level validation via Let’s Encrypt (discussed below). For other types of validation, you will need to invest in a paid-SSL certificate for your website.
Let’s Encrypt is an automated, open, and free Certificate Authority. It makes it painless to obtain an SSL certificate for your website. Numerous companies, including Automattic (WordPress.com), Facebook, Google (Chrome), and Mozilla (Firefox), have all sponsored the project.
Furthermore, there are several WordPress hosting companies who have already enabled support for Let’s Encrypt. Making it possible for people, including you, to acquire an SSL certificate immediately for your website.
Some of the known and popular WordPress hosts which offer Free SSL from Let’s Encrypt include:
- Bluehost,
- FlyWheel,
- SiteGround
- WP Engine among others.
Additionally, CloudFlare also grants free Shared SSL on its free plan. Numerous WordPress users utilize CloudFlare for the free CDN. It is crucial that pages served over CDN are also HTTPS.
Before, SSL certificates used to be really expensive. However, with the introduction and extensive adoption of free options such as Let’s Encrypt, paid SSL certificates have significantly reduced their price.
If you have an ecommerce website, or receive payments on your site, then it might be worth investing in paid SSL solutions. It is because it comes with additional validation levels like
Extended Validation or Organization Validation. Moreover, it is, in fact, vital that you have a secure HTTPS site for e-commerce purposes. Payment processing firms like PayPal and Stripe rigorously require you to have a tight-secure SSL connection.
If you need assistance with implementing the necessary steps to avoid the impending Google Security, we are here to help.
Our dedicated professional specialist will assist you, and your business gets your website ready for it. That way, you and your site are fully prepared to face whatever Google throws at you.