The Time to Secure Your Website with HTTPS is Now
HTTPS is being required by many major browsers starting in October 2017, and we recommend you take action.
As of January 2017, Chrome 52 started to serve up a “Not Secure” message to users who landed on unsecure websites (HTTP) with password or credit card entry fields. Google is set to serve that same warning to any website that has user data entry. This means your innocent contact form or newsletter subscription text field will start triggering the user-facing message next month with the release of Chrome 62.
How An October Chrome Update Will Drive HTTPS Adoption
Back in January, Chrome wasn’t the only browser to flag unsecure websites. Firefox also started flagging websites containing password fields that were not loaded over HTTPS. This resulted in numerous websites, including cases like the Qantas Airlines website, to display warning messages to users. My personal favorite was the website for Oil and Gas International which filed a bug in Mozilla’s bug tracking system (for Firefox) that said:
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
The Supposed Problems Of Using HTTPS
Despite all of this, many people still believe they do not need HTTPS for their website regardless of the fact that it provides confidentiality of user data, integrity of website data, and authenticity that the website was not tampered with in transit. As recently as August, individuals were posting videos and blog posts about why you do not need HTTPS. Many of these blog posts or videos get removed shortly after posting (hence why they both link to the Wayback machine, an archive of what existed on the internet at one time), but despite that, they are still distributed to wide audiences when first published.
These articles, while generally keyword stuffed for SEO purposes, are flat out WRONG when it comes to security. Gone are the days where HTTPS will slow down your website. In fact, new technologies such as HTTP2, make your site faster and only work over HTTPS. Gone are the days where HTTPS is a burden on cost. Furthermore, HTTPS does more than just secure your communications with a website; it also provides your users an integrity check that the website has not been modified in transit, as well as an authenticity check that the website has not been redirected elsewhere due to a DNS problem. Combined, these elements work in tandem to make sure users are securely able to access your website.
The Looming Consequences If You Don’t Use HTTPS
Despite pushback from some websites that were not using HTTPS, browser maintainers have pushed forward. Starting with the Chrome 62 in October, any website with form input fields will start showing a “Not secure” warning to users in the user’s address bar. Additionally, any website visited in incognito mode over insecure channels (HTTP), will be marked as “Not secure”:
This means that websites like CNN, ESPN, and many other websites on the Alexa Top 500 list will be displaying a warning message next month about being insecure.
How To Secure Your Domain, Quickly
Adding HTTPS to your website is not difficult or time consuming. Mindgrub’s hosting Partner, Pantheon, added one-click HTTPS support back in July, which easily enables HTTPS for all sites hosted on the platform. For my development-focused friends out there, Digital Ocean’s guide provides a simple, 3-step process for securing your website for free. Similarly, Cloudflare provides a nice tutorial for setting up HTTPS with their free service. My choice is Pantheon’s one-click HTTPS support with Let’s Encrypt following in a close second, but all three options are great solutions for securing your website. If you are not sure what to use, schedule a conversation with me while there is still time and I will happily provide guidance as you work towards a more secure web experience.
A Commitment To A Secure Experience
I am a bit of a security nerd when it comes to all of this, so I have been following these updates fairly closely, from Pantheon’s new offering to secure every site with HTTPS on their platform for free, to upcoming issues with websites using Symantec SSL certificates (stay tuned for a future post).
A secure web is the only form of the web moving forward. If it were up to me, all websites would be served over HTTPS. If your website is not using HTTPS yet, both you and your users are going to have an unpleasant experience on your website next month. The time to secure your website is right now. Start the conversation with your hosting provider and developer to make the transition to HTTPS.