Google Chrome 68 makes HTTPS mandatory – have you installed an SSL certificate yet?
Today is the start of the roll out for Google Chrome 68 — the version that makes HTTPS mandatory. This event has been on the horizon for two years. I know this because I have been writing this same article for two years.
But what’s one more time? Starting today, Google will begin rolling out the stable version of Chrome 68. It’s important to note that not every user will be on 68 right away. Owing to its massive user-base, Google tends to roll these updates out over the course of a week or two to ensure that everything releases smoothly. It also makes it easier to roll something back if it’s implemented incrementally.
So not everyone will be on Chrome 68 right out the gate, but make no mistake about it, starting today Chrome users are going to see some big changes.
What’s changing in Chrome 68?
Starting today, any website still being served via HTTP will receive a negative visual indicator that says, “not secure” beside the URL in Chrome’s address bar.
Here’s an example of how the treatment for HTTP will change, using Chrome 64 (which has the current user interface) against Chrome 68.
Google plans to up the ante in future versions of Chrome, too. Soon, when someone attempts to input text into an HTTP page the warning will switch from black font to a more urgent shade of red.
That’s not all, either. Currently websites that are being served via HTTPS receive a positive indicator—it says “Secure” with a little padlock icon in the space to the left of the URL in the address bar.
But not for long. In a future release Google plans to eliminate the indicator for Domain Validated and Organization Validated SSL certificates entirely.
Why is Google making HTTPS mandatory?
It all comes down to the overall security of the web. HTTP has served its purpose but its fatal flaw is in its lack of security. Specifically, its lack of connection security. When an internet user’s web browser arrives at an HTTP website, all of their communication with that site is sent in plaintext that can easily be intercepted and stolen. This is hardly ideal in a number of contexts, from online banking to healthcare to social media, so Google and the rest of the browsers a pushing to make better connection security a default for the entire internet.
When you install an SSL/TLS certificate and migrate your website to HTTPS, it facilitates encrypted connections, which keep the data being transmitted from being eavesdropped on or even manipulated.
You may not have noticed, but most reputable businesses and organizations on the internet already use SSL/TLS certificates and HTTPS. You can tell by the little green padlock beside the address bar. Some browsers also still show the protocol https:// at the start of the URL, too.
By requiring all websites to have encryption, it effectively eliminates an action that users would otherwise have to make in order to ascertain whether they have a secure connection with the website they’re visiting. What? You don’t already do that? Join the club. That actually bolsters Google and the other browser’s position.
Many users don’t know what to look for to check connection security. Many users don’t even know what connection security is at all. So asking them to check for a padlock or a protocol at the start of a URL is what Google calls “actively hostile to the user.”
Personally, I think there’s an air of hyperbole in that word choice, but Google aims to simplify connection security to the point where encryption and HTTPS is just standard and users don’t have to worry about checking for it.
You should probably still try to make sure you know who is running the site. Bad guys can get SSL and serve their sites over HTTPS, too. But the days of checking visual indicators is over. That’s why Google is retiring its “Secure” indicator. For one, I wouldn’t say it was actively hostile, but it did confuse a lot of users into getting phished. But more importantly, when HTTPS is the default, there’s no need to incentivize or reward websites for having it.
The only time the user needs an indicator is when encryption is not present.
What do I need to do to avoid the wrath of Google?
Short of making some sort of symbolic offering following a pilgrimage to its palace in the Valley of Silicon, your best bet is to procure and install an SSL certificate immediately.
The point of this article is to inform, so I’ll be CA-agnostic and just say that there are a range of options for every site owner, depending on your size and scope. Everything from free Domain Validated certificates to Extended Validation certificates that showcase an organization’s name in the address bar is available.
Before you make a decision, it’s probably a good idea to figure out what you need to encrypt, how many domains, sub-domains, etc. There are different certificate types for each budget and use-case. Just remember, every public-facing page and asset now needs to be served via HTTPS. You can use 301 redirects to point browsers to the correct HTTPS page.
Just remember, choosing not to encrypt is choosing to have your website labeled “Not Secure” by Google, which owns the lion’s share of the browser market. Also remember that internet users tend to trust Google when it tells them something isn’t secure.
So don’t let that happen to you, encrypt today.