September 29

posted by: Michael Mottola

Browser Changes: Future with HTTPS

Big Browser Vendor Changes to Web Browsing Security

Big changes to web browsers have occurred over the last year and now, browser vendors have begun implementing a long-term plan to display all non-HTTPS websites as "Not Secure". The overall goal is to help the internet transition to a safer place and improve users' browsing security and experience. They encourage all business owners, including our clients, to switch their website to HTTPS.

Google has led the charge in implementing this, rolling out a three phase plan to eventually mark all HTTP pages as "Not Secure". Firefox has been just as aggressive (in some cases more), with other browser vendors like Edge & Safari also following suit months later.

Late last year Google Chrome made some significant changes to the browser, which impacts some of the features we use. Some of the few more powerful features are only available when serving content over HTTPS. A good example of this is Geolocation API, which allows sites to access user's location; it's a good thing for consumers that this is only allowed over HTTPS. Other elements impacted include using a phone's camera, detecting device orientation and using fullscreen.
 

HTTP vs. HTTPS: A quick explanation

HTTP (http://example.com)
Not encrypted – attackers and ISPs can inject content on your pages and alter your experience. Using non-HTTPS on public WIFIs, at cafes or hotels for example, leaves users vulnerable to being spied on by other people connected to the same network.

HTTPS (https://example.com)
Encrypted connection between browser and web servers of the website you are visiting (Green lock typically appears in the browser's address bar) – Uses SSL certificates to encrypt and validate the connection


Google Chrome – Phase 1:

In January 2017, Google Chrome released Chrome version 56 for desktop and mobile browsers. It features more prominent warnings to users when they are entering sensitive information on a website that is not secure.

Google Chrome and Firefox started marking all HTTP pages that collect passwords or credit cards with a label of  "Not Secure". Prior to these releases only the info icon was present.

'Not Secure' warning in Chrome:

Image of Not Secure warning in Google Chrome

Firefox made their warnings more noticeable to users:

Image of Not Secure Warning in Firefox


Google Chrome – Phase 2:

The next phase of this plan will take effect in October! Chrome and Firefox will label HTTP pages as insecure if users can input any data, including search boxes and contact forms. Basically every single site has those components on some page of a website. For Chrome, this will start with Chrome version 62, targeted for an end of October release.

This means that if your website is not HTTPS, your users will see a "Not Secure" warning when visiting your property details pages or your contact us page. Or if your website has a search box in the header on every page, all pages will show this warning!


Google Chrome – Phase 3:

The timeline of this last phase is unknown at this time. We are estimating between 6 - 12 months from now, based on past notices from Google. This phase will complete Google's master plan by marking every single HTTP web page as non-secure.

Google has shared how it will look:

Image of eventual treatment of all HTTP pages in Chrome


Google has been putting a big emphasis on using HTTPS on all websites.

In 2016, the Google Page rank algorithm started giving a boost to HTTPS sites over non-HTTPS. In 2017, they put the focus on getting companies to make the switch to HTTPS by highlighting websites that are not secure and eliminating the use of certain features when not served over HTTPS.

Google certainly has self-serving motivations to make this transition, as they own companies offering SSL certificates. But from a security standpoint, making the web a safer place to traverse is a great thing, and the web is safer when sites are verified and transmit secure content. Protecting your website visitors from eavesdropping and ensuring that any personal information is captured and transmitted over HTTPS makes for a happy user experience, even if the user doesn't know it.


via GIPHY

Free HTTPS for LWS Website Clients!

We host and manage a lot of websites.

We don't want any of our hosted websites to display the "Not Secure" warning, that's not cool. So, we are upgrading all of our websites to use HTTPS.

In fact, we've already done all the work to make sure your website is HTTPS ready! We'll be deploying all our websites in the next couple weeks prior to the release of Chrome version 62.

Once we deploy your website live, it will automatically switch all traffic to the HTTPS version of the same page. You don't need to worry if you have links back to your website on HTTP, the redirect will simply switch the http:// to https:// keeping the rest of the URL intact.

We are upgrading at no additional expense to you!

If your website met the criteria for Google Chrome's Phase 1, which may have included password fields or geolocation API usage (on mobile, finding nearby properties from where the user is located), then your website was upgraded to HTTPS last January.

If you have any questions, please do not hesitate to call or email our customer service and support team.

About the Author:

Michael Mottola - Technical Director

Michael is a passionate software/web developer who's been building on the web since he was 10. From Niagara Falls, Michael left the city to pursue his love of technology by...