Google Chrome to warn about non-HTTPS pages

The web is moving toward a time where all websites use SSL on all pages by default:

A secure SSL certificate was previously only necessary for checkout pages and those handling sensitive data. At BFI we’ve tended to only recommend them for websites that don’t outsource card handling to pages hosted by SagePay, PayPal or similar.

Since 2014 Google has been gently guiding us towards a more secure web – a project they called “HTTPS Everywhere” – indicating that in the future HTTPS would be used as a ranking signal (albeit a tiny one) when determining where to rank website pages in the search results. So far, the impact of that has been very minor.

Fast forwarding to the end of 2016, Google have stepped up the encouragement, releasing an update to the Chrome web browser that will “mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

This is part of a plan to eventually mark all HTTP pages as “Not secure”, regardless of their nature

What does this mean for me?

In the short-term, it means that from the end of January 2017, websites with log-in pages – members areas, customer accounts, back-end admin pages etc. – that don’t use HTTPS:// in the URL will show a “Not secure” message in the address bar on Chrome:

Although Google Chrome will be the first browser to do this (Chrome has 46% of the UK market share), Firefox follows closely (11% of UK market share). It’s only a matter of time before the remaining browsers (Safari, 21%) and Microsoft Edge (6%) do the same.

To prevent this “Not secure” message showing on your log-in pages, it’s best to upgrade your website to use SSL.

In the long-term, Chrome will be warning when ANY page is not secure, so at BFI we’ll be building all new sites with “HTTPS everywhere” by default.

What should I do now?

You can now order the upgrade for your site online. For most sites a basic certificate will cost £49/year + VAT and it’ll cost £180 + VAT to implement for a ‘normal’ GetTrolleyed, WordPress or WooCommerce site.