Here’s What Businesses Without HTTPS Should Know This July
If you continue to have an HTTP website URL, then it is time you gear up to add that extra ’s’ in the suffix for security reasons. With the release of Chrome 68 by July, Google Chrome will start marking all non-HTTPS pages as “not secure”. This is a big thing for millions of business owners whose websites are not encrypted by default and may receive security warnings for visitors using Google Chrome browsers once Chrome 68 stable updates go live this month end.
HTTP stands for HyperText Transfer Protocol and is not a secure method of transmitting data from your visitors’ browser to the website server as data is not encrypted and can be seen by anyone who may be monitoring Internet traffic. The ‘s’ at the end of ‘HTTPS’ stands for ‘Secure’. All data transferred is end to end encrypted from your visitors’ browser to your website server and no one can see or steal information between these two points. HTTPS, therefore, makes browsing much more secure and private.
By the end of July, Chrome on unencrypted or HTTP websites will start to show warnings in both search results and when a visitor visits your website as of July 1, 2018. The warning will be displayed in the search path bar at the top of the web browser.
While preparation was underway over the past few months, with developers transitioning their sites to HTTPS and making the web safer for everyone, experts believe a lot needs to be done in the area.
Global provider of SSL/TLS certificates such as DigiCert said, with the release of the Google Chrome 68 browser, any web page not running HTTPS with a valid TLS certificate will show a “Not Secure” warning in the Chrome address bar. This warning will apply to internet-facing websites and potentially millions of corporate/private intranet sites accessed through Chrome, which has about 60 percent market share, according to publicly available data.
Chrome released HTTPS conversion tools and data earlier this year that indicated that up to 78 percent of Chrome traffic is encrypted. Internal DigiCert research found that 43 percent of the Alexa 1 million sites used HTTPS by default, while a W3Techs June 2018 survey reported that HTTPS is the default protocol for 35 percent of the top 10 million websites. This leads to the conclusion that many smaller and less-trafficked sites may still rely on HTTP.
“The Chrome 68 update will hopefully spur the millions of sites still using HTTP to adopt HTTPS. The data shows that while the web has made tremendous strides toward greater user security, there are still many sites that need to catch up to avoid the ‘Not Secure’ warnings,” says DigiCert Chief Product Officer Jeremy Rowley.
“We urge IT administrators to check the sites they look after and deploy the appropriate TLS certificates,” he adds.
“The advent of encryption everywhere is a positive development for user security,” explains Rowley, “We support Google’s action to promote HTTPS use by default and want to make sure website administrators are aware of the coming changes and have resources to make the necessary changes to their web server operations.”
“In some instances, administrators may believe they don’t need certificates on all pages, but incorrect configuration and deployment will still lead to warnings within Chrome,” Rowley adds.
Avoiding warnings is important. According to a 2018 “Internal Website Security Seal Study” by Ipsos Group S.A, 87 percent of internet users will not complete a transaction if they see a browser warning on a web page. While 58 percent of respondents go to a competitor’s website to complete their purchase.”There are a number of options that website administrators can use to quickly enable HTTPS on their website, ahead of the deadline,” says Rowley. “Besides encryption and authentication of website traffic, digital certificates can boost SEO rankings, reduce bounce rates, and help minimize abandoned shopping carts.”
Rowley informs that for concerned website administrators and security teams, DigiCert offers free tools, the Certificate Utility for Windows and DigiCert SSL Tools designed for administrators that use TLS certificates for websites and servers or code signing certificates for trusted software. The freely downloadable tools feature automatic CSR creation and TLS certificate installation along with root certificates, intermediate certificates and private key management.
DigiCert has also launched a free guide on certificate management to help administrators stay up-to-date on best practices and reduce the chances of a certificate being neglected or mismanaged.”Although Google Chrome is the first browser to deploy such a visible warning system on non-HTTPS websites, this direction will likely be followed by others such as Microsoft, Apple and Mozilla,” says Rowley.
“HTTP 2.0 requires TLS encryption in major browsers. As the major browsers migrate to the newer technology, websites will find certificate deployment becoming increasingly important,” he sums up.