Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Plain Old HTTP Will Be Branded Not Secure

When Chrome 68 arrives, expected around July 2018, websites that don’t use HTTPS will be branded “Not secure”. This label will appear in the address bar, in place of where you’d see the padlock and “Secure” labelling for websites that use HTTPS properly.

The dominance of Google’s Chrome browser has enabled the company to push for better standards on the Internet, such as in this case to increase security through encrypted communications between browser and server.

Already from beginning 2017, websites that ask for passwords over unencrypted HTTP connections are highlighted with a red strike across a padlock, to warn users that the website is not secure. Prior to that, Google used HTTPS as a ranking signal in search results to encourage websites to convert to HTTPS.

With services like Let’s Encrypt around since April 2016, a service that provides free TLS (or what is commonly referred to as SSL) certificates to any website, there’s little reason why any website should not adopt HTTPS. Cost is not an issue anymore, even if the meagre US$10 or so per year had been an issue in the past.

For security, adopting HTTPS is now just only the beginning. There are so many more things that one can do. Not all TLS certificates are equal. We’re past the deprecation of SHA1 certificates, but there are other developments worth investigating. One example is the use of ECDSA-based TLS certificates, a switch which I had made in early 2016.

DNSSEC is also another component in the Internet security puzzle. This could be something trivially easy to do at some DNS hosting providers, where you could simply tick a checkbox to have DNSSEC provisioned for your domain.

Security matters everywhere. Even if your website doesn’t handle any sort of personal, financial,  or other information where confidentiality or privacy may be a concern, you should still move to HTTPS. Otherwise the “Not secure” labelling by Chrome will make your website look bad.

Chrome stable version is now 64. There’s still a couple more versions to go, but don’t put this off till it’s too late.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.