Chrome, HTTP Notifications, and SSL Security

HTTPS:// in an address bar

In January 2017, Google Chrome will release an update marking webpages using HTTP pages “Not secure” for users if:

  • The page allows a user to log in
  • The page allows credit card information to be submitted

This change is a first step in Google’s plan to mark sites using HTTP pages as insecure. Over time, they plan to mark all HTTP pages as insecure, but for now they are starting with pages that handle sensitive information.

So what does this HTTP change in Google Chrome mean?

Enable HTTPS security with an SSL certificate (image of padlocks)If you run an ecommerce site, probably nothing.  As long as your site is correctly configured to use HTTPS instead of HTTP, you will be set.  To check if you’re already using HTTPS, visit your login and checkout pages to see if they have HTTPS in the address. Most ecommerce sites already use HTTPS instead of HTTP, and have a valid SSL certificate installed.   Users visiting these sites in Chrome won’t see any changes.

However, if you run a blog or forum that has a login page, it’s possible you don’t have an SSL certificate installed already.  This means you can’t use HTTPS yet.  Chrome users will see a “Not secure” message next to the address bar while on the login page.

In January, this message will be neutral gray.  But that will change. In the long-term, Google intends to make the message red and urgent.

How do I enable HTTPS?

It’s a two-step process.  You need to see what types of SSL certificates your webhost offers. You can also purchase an SSL Certificate from a 3rd party
and have your webhost install it. The SSL certificate is necessary because it provides the encryption that makes using the HTTPS protocol possible.  Once your SSL certificate is installed, make sure scripts on your site are configured to use HTTPS (this doesn’t happen automatically).  So if you use WordPress, Drupal, phpBB, or any other 3rd party software or script that provides a user login, you need to change the configuration to use HTTPS instead of HTTP.

Is it important to fix this?

Yes. Security-minded users may wisely decline to use your site if they see a “not secure” message in Chrome, and ghost away without you even knowing why they left. You may also get direct questions from your userbase if they notice the change and become concerned. It’s good security practice to use HTTPS on pages handling sensitive information.  You’ll protect and reassure your userbase by adding an SSL certificate and HTTPS on your site.

When does my site need to have an SSL certificate installed and HTTPS enabled by?

Chrome will have this update rolled out in January 2017, so you have approximately two months to update your site.

Where can I learn more?

Check out Google’s official announcement here.

Can HTML Global Check if My Site is Using HTTPS and SSL?

HTML Global Can Help You Install SSL CertificatesYes we can!  If you’re an HTML Global client and we host your site, we’re already updating sites and reaching out to clients in the background.

If you’re not an HTML Global client, but have a site that needs an SSL certificate installed, contact us and we can help you out!