Chrome to mark all non-HTTPS websites insecure in July 2018

Google has officially put webmasters on notice, again. In early 2017, Chrome began flagging websites with form or login fields as “not secure” if they did not have a SSL certificate installed. Starting July 2018, all non-HTTPS websites, whether they ask for user input or not, will be labelled “not secure” by Google Chrome.

This is how Google Chrome will mark non-HTTPS sites as “not secure” beginning July 2018. Currently it is only shown on webpages that ask for user input; in July it will apply to all websites.

Chrome is the most popular browser by market share, with 61.4% of global Internet traffic according to NetMarketShare (Jan 2018) so this isn’t something you can afford to ignore. And whatever Google does, Mozilla usually follows suit – Mozilla also began marking some non-HTTPS websites as insecure last year.

After years of security awareness training by banks and institutions, the public has come to recognize the “padlock symbol” as a trust indicator online. While having a SSL certificate is not an iron-clad guarantee of a site’s authenticity, a “broken padlock” certainly does not inspire confidence with your potential customers.

Without SSL/TLS encryption, even static websites remain vulnerable to Man-In-The-Middle (MITM) attacks. It would be trivial for an attacker between your server and the website visitor to modify your website’s content to distribute malware. For this reason, Google is strongly encouraging all websites to switch to HTTPS.

If you use a dashboard to manage your website with a CMS such as WordPress and don’t have HTTPS, you are exposing your admin password in plain text every time you login. To make matters worse, a hacker on the same Wi-Fi network as you (e.g. in an airport or cafe) can intercept this information by sniffing the packets between your computer and the access point.

So you want to protect yourself and your audience by switching your website to HTTPS? Great, you are making the right move. But there are numerous factors to consider including redirection, mixed content issues and SEO. You’ll also want to make sure you’re not using deprecated, insecure ciphers which negate the security of using HTTPS.

Configuring HTTPS is not easy to get right. Even large, corporate websites routinely suffer from misconfiguration that result in certificate errors or redirect loops when users try to access your website. Sometimes these problems are tricky to diagnose, because they only occur with certain browsers (e.g. Safari) or when visiting the website on the “www” subdomain. In addition, if you don’t reconfirm your website on Google Webmaster Tools after installing a SSL certificate, your website’s search engine rankings can suffer.

Don’t risk losing customers and sales when Google labels your website “not secure” this year. You better believe while HTTPS is a minor ranking signal now, it could become more significant in Google’s algorithm in the future. With Internet giants like Google and Mozilla endorsing it, consumers have come to expect HTTPS on any serious website.

SSL certificates range in price from free, to Extended Validation (EV) certificates that not only validate ownership of your domain, but the business address & incorporation of your organization. Depending on how many subdomains you have, you also need to consider whether you want to issue an individual certificate for each common name (CN), or use a wildcard certificate.

Professional Support with Migrating to HTTPS

For most small to medium businesses, we recommend using a domain validation certificate with support for both “www” and “non-www” versions of your second level domain name. To simplify maintenance, you could either obtain a commercial certificate with a validity up to 3 years, or set up a free certificate with an automated Certificate Authority (CA) that renews itself automatically when it nears expiration. The configuration varies based on:

  • Web server type (Apache, Nginx, Lighttpd)
  • Any load balancers between your front and backend servers
  • Root access available or not
  • Control panel (cPanel, DirectAdmin), if installed
  • If CloudFlare is required for DDoS mitigation

Our professional sysadmins can help you identify the best approach to moving your entire website to HTTPS. From experience, managing and installing certificates is a complicated matter for most non-technical folks. The support your SSL vendor or web host is able to provide is probably very limited, given the plethora of configurations out there. You can bring your own certificate, or we can recommend one that is compatible with your server.

We also help with getting the URLs on your CMS-powered website rewritten to HTTPS, an essential step to avoid any broken links after the switchover. Finally, we validate our installs with tests such as the Qualys SSL Test, to ensure you’re not suffering from a false sense of security from using compromised cipher suites. If your website is HTTPS and earns less than an “A” on the test, we also advise to contact us for a security checkup.