Earlier this year we all saw the first of a series of planned changes to how Google’s Chrome browser will display HTTP web pages without TLS/SSL encryption. To move towards a safer web, Chrome began displaying a “not secure” warning in the address bar of websites that collect passwords or credit card information. Now, the second step of Chrome’s changes is upon us. And this one is expected to have a much broader effect.
In late October, Google released version 62 of Chrome browser with two significant updates. First, Chrome began labeling all non-HTTPS pages in incognito mode as “not secure;” and, most importantly, Chrome also began adding the “not secure” warning in the address bar when visitors start typing any information on HTTP pages.
Here’s what this now looks like:
According to Google, “Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “not secure” warning when users type data into HTTP sites.” Not surprisingly, this change has been getting a lot more attention, and site owners have been rapidly adding certificates for TLS/SSL to secure their pages from HTTP to HTTPS.
In addition to this, we know that a third step is coming—we just don’t know when. At some point, Google has said that Chrome browser will add the “not secure” warning for any requests to HTTP pages. That’s huge! Google is making it clear that a safer web is one where unencrypted web connections are discouraged. That means we’re moving towards a future where HTTPS page encryption is going to be a standard requirement for web pages.
In this blog, I’ll share some web security fundamentals and give you some ideas on how you can plan to avoid the “not secure” warning coming with Chrome browser changes.
Let’s Start With the Basics
Before we dive right into what you need to do, let’s start with some basics. I’m going to keep it at a pretty high level in this post, but there’s a ton of information online—even some Web Security Fundamentals from Google.
What is TLS/SSL?
Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL) are security protocols that encrypt the exchange of data between web servers and clients. This data encryption is vital to help prevent malicious parties from sniffing or eavesdropping into data as it traverses the web—which is especially important when it’s personal data, like passwords, credit card numbers, or other personally identifiable information that is shared. To secure those communications while in transit, companies purchase and apply TLS/SSL certificates, enforcing that requests to the site are made via HTTPS (HyperText Transfer Protocol Secure) instead of HTTP (HyperText Transfer Protocol); essentially encrypting the data exchange and providing authentication to ensure that communication is happening only between the intended parties.
Why is it important?
With unsecured sites, i.e., those serving up HTTP pages, it’s possible for hackers Go to the full article.