It’s not uncommon for people to ignore basic and well-known computer and internet security practices. They don’t perform regular backups. They don’t use password managers, two-factor authentication, or even different passwords for different accounts. They click on links in phishing emails. They know better but they don’t bother until they get burned. Then, of course, it’s too late.
Credit: Geralt/Pixabay – Google presses for fully encrypted websites
Businesses are like individuals in this regard. Increasing security gets put off or ignored because it’s too expensive, too much hassle, too disruptive or doesn’t produce immediate gains. When you or I play fast and loose with security, we’re usually the only one who gets hurt. When a business with a website does the same thing, they’re not the only ones at risk. The people who visit the website can get hurt as well.
Credit: Kevin Murnane – The HTTPS protocol encrypts all communication with a website.
Google is trying to do something about this by pressuring companies to provide more security for the people who visit their websites. Look at the URL in the address bar in the above image. It begins with “https” which tells you something important. Any communication you have with this webpage is secure because it’s encrypted. Google doesn’t have any problems with webpages like this.
Google is pushing back against webpages with URLs that begin with “http” – no “s” – because they don’t encrypt communication between the user and the website. Communication may not be secure and the user’s interactions with the website can be hacked.
The internet would be a safer place if all website traffic was encrypted and Google is trying to pressure companies into encrypting their websites with the HTTPS protocol by warning users about unencrypted sites. Beginning in October, Google’s Chrome browser will display the message “Not Secure” in the address bar when users interact with an unencrypted webpage.
Credit: HypnoArt/Pixabay – A login screen.
For Google’s purposes, “interacting with a website” means entering something in a text box such as a username, password, credit card number or search term. Users in Incognito Mode will get the “Not Secure” warning whenever they visit a webpage that uses the HTTP protocol whether they interact with it or not.
Should you be concerned when you see the “Not Secure” warning? Maybe, maybe not. Some websites use the HTTP protocol and encrypt some, but not all, communication using other methods. For example, the website may encrypt credit card information or passwords but not search terms. If the user searches for a product on a retailer’s website, they get the “Not Secure” warning; if they navigate to the product page without searching and enter their credit card number, they don’t get the warning.
Obviously, if you get the warning when you enter a credit card number or password, you don’t want to hit “Enter” and send that unsecured information out over the internet. If you get the warning after entering something in a search box, other information you enter on the website may or may not be encrypted if the site is still using the HTTP protocol.
Credit: HypnoArt/Pixabay – Secure.
Will Google’s tactic of telling users they’re visiting an unsafe website work? Chrome dominates the global browser market to such a great degree that more than half of the world’s internet users will see the warnings when they interact with unencrypted websites. There should be plenty of opportunities to motivate users to complain to companies about their lax security.
On the other hand, the “Not Secure” warning in the address bar may not attract enough attention to be noticed regularly. Companies may be betting on this. In September 2016, Google began letting companies know that increased warnings about websites using the HTTP protocol were coming. Nevertheless, Pure Oxygen estimated that 40% of the top 100 internet retailers were still using the HTTP protocol in mid-August 2017. It seems pretty clear that – PR blather not withstanding – a lot of retailers don’t think their customer’s security is important enough to abandon the outmoded HTTP protocol and switch to HTTPS.
The “Not Secure” warnings are part of Chrome 62 (the current version is 60.0.3112.101) which has a planned October rollout. If you see the warning and you want to help make the internet more secure, send the website owner some feedback saying you’re unhappy with their unsecure HTTP pages. A little consumer unhappiness can go a long way toward changing “yeah, yeah, we’ll get to it later” to “switch to HTTPS ASAP!”
Kevin Murnane covers science, technology and video games for Forbes. His blogs are The Info Monkey & Tuned In To Cycling and he’s The Info Monkey on Facebook & @TheInfoMonkey on Twitter.
If you need help making sure your website is secure or you need help getting an SSL key installed you can contact Hartman Technology here.