Google is pushing for a more secure web

With the release of Chrome 53, Google made a small but important change in the information it makes available to users about the websites that they visit. It’s all part of Google’s push to encourage website owners to secure their websites using HTTPS. In the near future, secure websites will also be faster than insecure sites, a key metric for Google.

Prior to Chrome 53, secure sites displayed the familiar padlock icon next to the URL in the address bar. Insecure sites showed no icon. Now, insecure sites display an “i” icon which, when clicked, informs the user that “Your connection to this site is not private”. It also displays information about the cookies received from the site and the permission settings for the site. Permissions include things like allowing popups, desktop notifications and the use of the computer’s camera and microphone. Note that this information has always been available, it was just less prominent. Google hopes that by increasing user awareness of how they are connecting to websites, they will recognize and prefer secured sites.

Turning up the pressure

According to a post on the Google Security Blog, beginning next year (Chrome 56) non-secure sites that transmit passwords or credit card data will include the text “Not secure” next to the icon in the address bar. The post goes on to say:

In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

Steps for website owners

Moving to HTTPS is easier and cheaper than ever before. There are 3 basic steps:

1. Purchase an SSL/TLS Certificate. These are issued by a Certificate Authority, who verifies that the certificate purchaser is also the owner of the website. Note: websites hosted by Webdancers can obtain certificates from LetsEncrypt at no charge!
2. Configure the website to use the certificate. This includes making changes on the web server and changing all site links from http:// to https://. A website badge may be added to remind visitors they are on a secure site.
3. Update all links to reflect the new security. The outside world, and especially Google, must be informed of the change. All links are automatically redirected from their old http:// versions to https://.

A more secure and faster web benefits Google, website owners and visitors alike. If you need assistance converting your site, please enter a comment below and I’ll give you all the details.