In late July, 2018, Google Chrome started displaying a prominent ‘NOT SECURE’ message in the browser with the release of version 68 for any webpage not using HTTPS.
For most websites the Chrome not secure warning is really not much of a cause for concern, just like an unlocked garden shed isn’t much of a security concern if there’s nothing in the shed.
But to better understand how much of a security risk is involved with the Chrome ‘NOT SECURE’ warning, we need to explain how to make websites secure and what ‘being secure’ means.
How http and httpS work
When you connect to a website with regular HTTP, your browser looks up the IP address that corresponds to the website, connects to that IP address, and assumes it’s connected to the correct web server. Data is sent over the connection in clear text. An eavesdropper on a Wi-Fi network, your internet service provider, or government intelligence agencies like the NSA can see the web pages you’re visiting and the data you’re transferring back and forth. Problems with HTTP include no actual verification that you’re connected to the correct website and of course that information can actually be read by someone who with access to it. Credit card numbers should never be sent over an HTTP connection as an eavesdropper could steal them.
These problems occur because insecure HTTP connections are not encrypted whereas HTTPS connections are encrypted. HTTPS connections require an SSL certificate in which an independent 3rd party verifies that the website is who it says it is.
Most users have known for a long time to look for a lock icon when transmitting confidential information (such as credit cards).
Chrome and Firefox already warn when web pages ask for login or credit card information without using HTTPS but after this release, all web pages that load without HTTPS will display the warning.
Previous versions of Chrome notified users of HTTP-only sites by displaying an exclamation point next to the URL. Google believes this new ‘NOT SECURE’ warning will help users understand that HTTP sites are not secure and continue to move the web towards a secure web.
What does this change mean?
After released of this browser version, many website now display this Chrome ‘not secure’ warning. This Chrome ‘not secure’ warning should not be a major cause for concern. On a webpage that is NOT requesting any sort of user input has minimal risk of anything malicious happening. The warning alerts people that any data that they enter on a webpage that does not use an SSL could potentially be compromised. HTTPS encrypts the data that is sent from your computer to the web server.
So, if you currently have a website that is not using HTTPS, the big question is: Do you need to be HTTPS? In order for a website to be HTTPS, you must acquire and install an SSL certificate and some work is involved to re-configure the website to use them. However, the question of whether or not you will decide to use one going forward is individual preference for both you and your users. If your users are security conscience then you might want to make your site secure.
On a related issue, what does the ‘not secure’ message mean when you see it on a website your are visiting?
As mentioned above, the more secure you need to be the more important HTTPS is. Credit cards: Definitely. Phone #s…not as important.
And in the future?
Google is leading the way to make the entire web secure – so making your site secure is something you’re probably going to have to do eventually. New sites should certainly consider being secure and any site requesting confidential information need to be secure. Beyond that being secure is certainly a good idea for industries where security is important from web developers to medical and insurance.
At Bower Web Solutions we’d be glad to discuss your security issues and needs. Feel free to contact us to discuss.