All Websites Containing Text Inputs to be Labeled "Not Secure" by Chrome Starting from October
Google Chrome has been marking websites served over HTTP (unencrypted) as "Not Secure" in its address bar to emphasize the vulnerability of such sites. This warning appears as the website lacks an SSL/TLS certificate, which is necessary to enable HTTPS and encrypt the communication between the browser and the server.
### How Chrome Marks HTTP Sites as "Not Secure"
When a user visits an HTTP site, Chrome does not display a padlock icon and instead shows a "Not Secure" label next to the URL in the address bar. Since October 2017, Google has been marking HTTP pages as "Not Secure" if they have password or credit card fields. Starting from Chrome 62, this warning has been extended to blogs with comments and search boxes, and all HTTP sites with forms.
In addition, Google attempts to automatically upgrade HTTP requests to HTTPS. If the HTTPS connection fails, Chrome falls back to HTTP but then shows an interstitial warning page notifying users the site is not secure, giving them the option to proceed or go back. This is part of Google's ongoing effort to encourage websites to use HTTPS by default for better security and user trust.
### Steps Website Owners Can Take to Avoid the "Not Secure" Label
To avoid the "Not Secure" label, website owners can take the following steps:
1. Obtain and install an SSL/TLS certificate: This certificate encrypts data between the browser and the server. 2. Enable HTTPS on the website: After installing the SSL certificate, configure your web server to serve your website over HTTPS. 3. Redirect all HTTP traffic to HTTPS: Set up server-side redirects so all HTTP requests automatically redirect to their HTTPS equivalent. 4. Check for SSL configuration issues: Make sure your SSL certificate is valid, correctly installed, and the server supports modern TLS protocols to avoid errors like `ERR_SSL_PROTOCOL_ERROR`. 5. Use free SSL certificates if needed: Services like Let’s Encrypt offer free SSL certificates that can be automated for renewal, making HTTPS accessible for all sites. 6. Test your site’s HTTPS setup: Tools like SSL Labs or online certificate checkers can help ensure proper installation and security.
Once SSL is installed and HTTPS is enabled, Chrome will display a padlock icon and the URL will begin with `https://`, removing the "Not Secure" warning.
### The Impact of Google's Policy Change
Google's decision to mark FTP sites as "Not Secure" is due to their unencrypted nature and vulnerability. The change, which will take effect in Chrome 70, scheduled for release on October 23, 2018, also includes the removal of trust in Symantec's old infrastructure and all certificates it has issued. This change aims at improving the overall security of the Internet by removing trust in outdated and potentially vulnerable infrastructure.
However, the change does not affect EV SSL certificates issued by Symantec's independently-operated and audited subordinate CAs. Similarly, the change in Google's policy does not apply to these EV SSL certificates.
In conclusion, the "Not Secure" label in Chrome serves as a powerful reminder for website owners to secure their sites with HTTPS, not only to remove the warning but also to improve SEO and protect user data.
- To remove the "Not Secure" label from their websites, website owners should obtain and install an SSL/TLS certificate, enable HTTPS, redirect all HTTP traffic to HTTPS, and check for SSL configuration issues to ensure secure communication between the browser and the server.
- As technology advances, cybersecurity measures such as HTTPS become increasingly important for maintaining user trust, protecting sensitive data, and improving search engine optimization (SEO).
