Edinburgh Web Development

Chrome browser NOT SECURE warning for non-HTTPS pages

Contact pages will be flagged

by Iain Wilson

18 August 2017

An email from Google this month shows they are continuing their drive to make websites use HTTPS (encrypted) pages instead of plain old HTTP (unencrypted). 

From October this year, the latest version of Google's Chrome browser will show a 'NOT SECURE' warning message in the URL bar of any webpage where users enter text on an HTTP page.

For instance, this means if you have an unencrypted contact page which requests a visitor's details, it will be flagged as 'NOT SECURE'.

This is part of of Google's 'HTTPS Everywhere' initiative to get everyone using HTTPS, and if you're not at the party yet, you need to get to it.

It's just a matter of time before they flag every non-HTTPS page as insecure (in fact, in a way they already have - see the next section).

As Chrome has just under 45% of the browser market in the UK, this is a very significant development for website owners.

The current state of play

Earlier this year they started flagging any HTTP pages that had login input fields on them.

Now, if you're operating an ecommerce site, that's not really something you want your clients to see.  

If a client clicks on the warning message, they will see a message something like this one. Slightly alarming, and if your site is a few years old, it is possible that message could be showing on any login page you have.

In October, the message will show up on any HTTP webpage that has text input fields, such as a contact page or search facility.

You don't have any login, contact or search pages? Sorry, you don't get to walk away. Right now on Chrome, any HTTP page has a little 'i' in a circle in the URL bar.

Guess what you see if you click on it?  Correct, you see the 'Your connection to this site is not secure' message. 

And if you're operating in Incognito mode, from October all HTTP pages will be flagged as 'NOT SECURE'. 

Most importantly, Google have already stated the 'NOT SECURE' warning will appear on any HTTP page in due course.

Why are Google doing this?

Google's rationale is pretty straightforward - they wish inform users that HTTP provides no data security.  They want users to make an informed decision on whether they should interact with a webpage.

HTTPS provides a security layer which encrypts the transmission and reception of data between your browser and the website, and can also authenticate the origin of the webpage. 

Google's reasoned view is that if you're providing 'sensitive' information, it should always be done over HTTPS, and if it's not over HTTPS, you should be informed.

Google want to take it even further with the 'HTTPS Everywhere' initiative so that using HTTP becomes a thing of the past.

Is it important to you?

Secure URL barIf you have a website, it should be.

Visitors coming to your site and seeing 'NOT SECURE' messages on your contact page may be reluctant to proceed with filling in the form and sending you their message.

But if they see a padlock that says 'Secure' they are going to feel a whole lot more, er... secure.

Not only that, because of their commitment to HTTPS, Google say they have been using HTTPS as an additional 'ranking signal' since 2015 - so there can be SEO benefits for your website, too.

It's not only Chrome that is doing this.  Firefox browsers are already displaying their own warning versions. 

OK, how do I make my website HTTPS?

It's not rocket science, but you do need to know your way around web hosting and understand your website 'under the hood'. SSL certificate installation can be a tricky processes.

Step 1

First thing you need is a SSL certificate for your domain.  Forget about using a shared certificate (different domain to yours), which could be used in the old days to encrypt individual pages, you need a dedicated one for your domain. Commercial SSL certificates cost money - in the region of £50-£250 per annum.

Step 2

Once the certificate is installed, you'll need to make sure all your internal links and references are changed to use HTTPS instead of HTTP.  This is will be in every location you have website data and internal URLs:

  • Pages
  • Menus
  • Images
  • Databases
  • Javascript
  • Canonical references
  • RSS feeds

In addition, wherever possible change all external links to your website to point to HTTPS addresses. 

  • Social media accounts - Twitter, Facebook Pages, Instagram etc.
  • Advertising such as Adwords, Facebook etc.
  • Links from other websites

Step 3

Set up redirects to redirect any request for an HTTP page to be redirected to its HTTPS equivalent.  This means that visitors who have bookmarked HTTP webpages, search engines who have indexed them, and websites that you haven't managed to change, will be directed to the HTTPS page.

Step 4

Generate a new Google sitemap and submit it to Google using the Search Console.

Conclusion

Going to HTTPS is a no-brainer.  The Internet is going to be encrypted, so you might as well get it done now.  

It's a good thing - everyone benefits from a secure web.

Need help?  Just get in touch with us (via our secure contact page).

Liked this article? Please share it with your friends and colleagues.


comments powered by Disqus
 
Blot Design,
10 Colinton Road, Edinburgh, EH10 5DT,
0131 208 1792
Terms, Cookies & Privacy