The harvest season, no doubt about it! Autumn (the month of October to be more precisely) is taking us... “Google Chrome novelties” picking! Starting next month Google Chrome will be displaying new “Not Secure” warnings for HTTP pages.
We're talking, in fact, about two additional situations where these discouraging alerts get triggered in users' address bars:
- when the user is asked to enter his/her credit card information or his password on an HTPP page (so when he's presented with an HTTP form having sensitive input fields)
- when the user loads an HTTP page in Incognito mode
Note: speaking of the second scenario, the “Not Secure” warning will show up on ALL HTTP pages surfed in Incognito mode.
Take it as Google Chrome's next level in its “campaign” of pushing the web on the HTTPS side. A plan structured into multiple gradual steps aimed at discouraging users from “venturing” on non-encrypted websites. And, implicitly, at “forcing” website owners to do the necessary: move to sitewide HTTPS.
HTTP vs HTTPS: Is A Migration Really Worth It?
But first: which are the HTTP protocol's drawbacks? Those that Google Chrome warns users about through its new “Not Secure” warnings for HTTP pages?
Basically an HTTP connection:
- is a non-encrypted one
- gives visitors no guarantee that once they access a web page they're literally interacting with the “right” website
- provides visitors with no protection, whatsoever, against man-in-the-middle attacks, eavesdropping, data modification
On the other hand an HTTPS protocol page:
- is one where the user-website communication is an encrypted one, protecting the former against cyber attacks.
- keeps data protected from third parties
And now to answer your legitimate question, whether switching from HTTP to HTTPS is really worth the resources (of time and money), let us just imagine this scenario here:
“A user walks into a/lands on your website and is ready to make a purchase. A payment form is presented to him and he is about to enter his credit card information when... he gets a warning, in his address bar, that your site is not secure...”
2 Updates to Run on Your Site to Avoid The New “Not Secure” Warnings for HTTP Pages
1. Simply Get to The Root of the Problem and... Resolve It
How? Making sure that Google Chrome will label as “of secure origins” all the:
- inputs marked as credit card fields
- all the fill-in forms on your website incorporating <input type=password> elements
“Of secure origins” meaning that both the top-level page and the iframe (in case the user needs to enter his/her data in an iframe) need to display the HTTPS protocol.
In other words: if your HTTPS login/payment form is presented to your users in an overlay on top of an HTTP page, then you'll need to either:
- switch all your web pages to HTTPS
- redirect it to an HTTPS web page on your website containing that specific login/payment form
Taking the “shortcut”, placing an HTTPS iframe in an HTTP top-level page, is not a solution!
2. Go HTTPS! Switch to Using It Side-Wide Instead
Since the new “Not Secure” warnings for HTTP pages that Google Chrome will be rolling out this October are nothing but another step in its “macro plan” to label ALL HTTP websites as not secure.
So, why waiting for the inevitable to happen? Why should you “mend” when you can go for a long-term, in-depth solution? When you can make the move now and migrate your Drupal website to HTTPS?
Take Google Chrome's new “Not Secure” warnings for HTTP pages as a new step in its whole master plan towards an HTTP-free web!
It's a plan they first launched in November 2016 and which they're implementing gradually. So that the users grow more and more aware of the risks they expose themselves to accessing HTTP web pages, as the Google Chrome security team confirms:
“Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria."
There's no way of knowing, for the time being, when precisely Google Chrome will mark all HTTP sites as non-secure. When it will label them all with the red triangle currently indicating broken HTTPS pages.
What we do know is that this is the ultimate goal of their strategic plan. So, instead of waiting for the confirmation of the date in the calendar, why not gradually prepare your website for this move?