Internet News

This is how Chrome will force less secured, consumer security ignorant websites to adopt stricter HTTPS standards

chrome 59, Chrome, Google Chrome, Google

Considering how frequent cyber attacks have become, on both commerce related and general sites alike, it is pretty much clear that the entire world wide web needs to move to HTTPS, in order to get at least the minimal layer of protection against such threats.

However, despite all of those attacks and repeated warnings from cybersecurity experts, a whole lot of websites involving monetary transactions continue to ignore consumer security and operate on the usual HTTP protocol. That is soon going to be punishable, and punishable enough that it will lead to those website being tagged as ‘non-secure’ by the world’s most vastly used web browser across platforms – -Chrome.

In a blog post which Google’s security team has published today, Google’s Chrome browser will start tagging websites that transmit passwords or credit cards as non-secure, as part of the company’s long-term plan to mark all HTTP sites as non-secure.

Chrome currently indicates HTTP connections with a neutral indicator, which doesn’t reflect the true lack of security for HTTP connections. FYI, when you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.  However, once the Chrome 56 update rolls out in January next year, this is how things are going to change :

Additionally, starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.

 

Without any explicit warning, users do not even bother to ponder over how secured their connection to the website they are browsing is. In fact, Google’s own study has revealed the exact the same thing. The study also finds out, that us users become blind to warnings that occur too frequently.

A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. More than half of Chrome desktop page loads now served over HTTPS.

In Chrome releases coming up now, Google will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. The ultimate plan, is to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that is currently in use for broken HTTPS.Migrate to HTTPS Everywhere

Google encourages website owners to move on HTTPS and forces to implement HTTPS throughout the entire website. To enable https on your website, you need to install SSL Certificate on your website. SSL certificate is digitally signed certificate which can prevent your users’ from online frauds and avoid intruders to listen to the communication between your server and your website users.

Google suggests acquiring a third-party certificate from trusted SSL certificate provider. Deployment and configuration of SSL certificate is simple but quite technical, so you should confirm that your certificate provider offers tech support. We recommend some reliable SSL certificate providers like:

You should ensure about your business requirements to choose the right certificate and make sure that certificate comes with 2048-bit key encryption.

  • Single Domain SSL can protect only one website. (www.example.com)
  • Multi-domain certificate to secure multiple domain names. (www.example.com, www.example2.com, www.example3.com)
  • Wildcard SSL certificate for root domain and its all subdomains security (www.example.com, shop.example.com, mail.example.com).

Once you installed a certificate on your server then don’t forget to formulate 301 redirects to move all traffics on secure HTTPS website and make sure all secure web pages are indexed in search engines. It is recommended to enable HSTS setting in your server. HSTS will enforce the browser to load pages with HTTPS, even if the user browses your site with HTTP.