How to avoid the Not Secure warning

Will Google warn visitors that your website is not “safe”?

Starting on 31-January-2017, Google may tell people your website is “not secure” unless it uses encryption, that is: HTTPS and SSL when it collects credit card information, passwords or anything that remotely looks (to Google) like sensitive information.

Officially, Google says that: “This change may confuse your website visitors or surprise you if you are not expecting it.”

Translated, that means: “If Google flags your site as ‘not secure’, your web visitors will leave faster than a herd of cats in a firecracker shop - with twice the disinclination to return.”

Best bet is to make sure your website encrypts conversations by default - whether it collects “sensitive” information or not - before the end of January 2017.

Background

Since 1999, web pages were transmitted as plain text (HTML) to your browser for display. This default configuration is still in use.

Fast forward to 2017, and anyone can still easily eavesdrop on a web server or person to see any page, content uploaded or viewed - including usernames, passwords, credit card information and so on.

While this sounds very cloak and dagger, it's a well-known fact that a large percentage of internet activity is, in fact, being monitored like this - not only by nation states but also by criminals.

In addition to eavesdropping, adversaries are able to create websites that look exactly like the real thing - you will never know it's fake unless you carefully examine the URL displayed by your browser. Instead of logging into your bank, you might be giving your password to a criminal.

Both eavesdropping and fake websites can be prevented by encrypting traffic to and from a website. This happens automatically between the website and the browser - IF the web server has a “certificate” installed to enable encryption. An encrypted website is said to use SSL and HTTPS: the technical terms for encrypted web traffic.

Once encrypted, all information sent to a web server or received from it is encrypted and very, very, very difficult to eavesdrop on. At the same time, your web browser is now also able to verify the authenticity of a website: in other words, if it says it’s Standard bank, a little “secure lock” in your browser will confirm that you are transacting with the real deal.

Computer security experts say: “Although a single visit to an unprotected website may seem benign, crafty intruders look at aggregate browsing activities to make inferences about our behaviours and intentions, and finally to de-anonymize our identities.“

None of this is personal. A lot of bad actors are looking for easy targets, so “not having anything to hide” is not the same as “not having anything to lose”. They are not out to get you specifically - they’ll take any target they can get.

Starting 31-January-2017

Google’s long-term ambition is to help us browse the internet safely. Starting with the release of Chrome 56 this month, your browser will indicate connection security with an icon in the address bar.

Any website that is not running HTTPS may have a message appear in the address bar that says “Not Secure”. It will look like this:

chrome-a.png

This is the first phase of a staged roll-out that encourages websites to get rid of plain old HTTP and to encrypt all traffic by default.

Future releases of Chrome will also label non-HTTPS pages in incognito mode as “Not secure” under the assumption that users using this mode have an increased expectation of privacy.

The final phase of this staged roll-out will see Chrome label all plain HTTP pages as “Not secure”. It will look like this:

chrome-full.png

To avoid having your website labelled as “Not secure”, your website should use HTTPS and follow general security guidelines by 31 January 2017.

HTTPS is the future of the web, make sure you are ready.

If you think your website may be at risk and need assistance, Cozan Consulting is ready to help.

Back to blog