Google Chrome now marking non-HTTPS sites as ‘not secure’ in latest roll out
Coinciding with the release of Chrome 68, 24th July 2018 has seen Google mark all non-HTTPS sites as being ‘not secure’ within its Chrome browser.
The news shouldn’t surprise many website developers, as Google announced the timing of Chrome 68’s launch back in February and has also been strongly advocating that sites adopt HTTPS encryption to achieve a more secure web infrastructure for users for the past several years. However, it is only from this month that all HTTP sites will look like this in a user’s Chrome browser:
It is therefore crucial that website owners and developers switch their sites to HTTPS. Standing for Hypertext Transfer Protocol Secure, HTTPS is an internet communication protocol that is designed to protect both the confidentiality and integrity of data between the computer a user is on and the website they are visiting.
Any data sent using the HTTPS protocol is secured via the Transport Layer Security (or TLS for short), which has these three critical layers of protection:
- Authentication, which gives reassurance that users are communicating with the website they intended. Man-in-the-middle attacks are therefore protected against and user trust can be built.
- Data integrity, which means that data can never be corrupted or modified during transfer — whether by intentional means or otherwise — without the activity being detected.
- Encryption, in which exchanged data is encrypted to secure it from eavesdroppers. As a result, activities can’t be tracked across multiple pages, information can’t be stolen and conversations can’t be “listened” to when a user is browsing a website.
Fail to protect your website and users could become vulnerable to one or more of the following issues: brute force attacks, DDOS attacks, downgrade attacks, hacking of a website, server and/or network, software vulnerabilities, and SSL.TLS vulnerabilities.
So, how do you implement HTTPS across your website if you haven’t already? There’s a few best practices to bear in mind during the process:
- Get verification that Google can crawl and index all HTTPS pages. For this step, make sure HTTPS pages aren’t blocked by robots.txt files and that meta noindex tags aren’t included in your HTTPS pages.
- Look to have HTTPS sites support HSTS. Standing for HTTP Strict Transport Security, this parameter informs a browser to automatically request HTTPS pages — even if a user inputs HTTP into the browser location bar. Google will also be informed to serve secure URLs within its search results.
- Use robust security certificates. These certificates are issued by a certificate authority (or CA) and are crucial for enabling HTTPS across your website. When obtaining a certificate, a CA will look to verify that a web address indeed belongs to the organisation that it claims to be — protecting against man-in-the-middle attacks in the process.
- Use server-side 301 redirects. These are great in that they function to redirect both users and search engines to the relevant HTTPS page or resource.