The web is moving toward a time where all websites use SSL on all pages by default:
.
A secure SSL certificate was previously only necessary for checkout pages and those handling sensitive data. At BFI we’ve tended to only recommend them for websites that don’t outsource card handling to pages hosted by SagePay, PayPal or similar.
Since 2014 Google has been gently guiding us towards a more secure web – a project they called “HTTPS Everywhere” – indicating that in the future HTTPS would be used as a ranking signal (albeit a tiny one) when determining where to rank website pages in the search results. So far, the impact of that has been very minor.
Fast forwarding to the end of 2016, Google have stepped up the encouragement, releasing an update to the Chrome web browser that will “mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”
Chrome will mark HTTP pages that collect passwords or credit cards as non-secure
This is part of a plan to eventually mark all HTTP pages as “Not secure”, regardless of their nature:
Eventual treatment of all HTTP pages in Chrome
What does this mean for me?
In the short-term, it means that from the end of January 2017, websites with log-in pages – members areas, customer accounts, back-end admin pages etc. – that don’t use HTTPS:// in the URL will show a “Not secure” message in the address bar on Chrome:
Log-in pages without HTTPS will show a warning
Although Google Chrome will be the first browser to do this (Chrome has 46% of the UK market share), Firefox follows closely (11% of UK market share). It’s only a matter of time before the remaining browsers (Safari, 21%) and Microsoft Edge (6%) do the same.
To prevent this “Not secure” message showing on your log-in pages, it’s best to upgrade your website to use SSL.
In the long-term, Chrome will be warning when ANY page is not secure, so at BFI we’ll be building all new sites with “HTTPS everywhere” by default.
Eventual treatment of all HTTP pages in Chrome
What are BFI’S plans?
BFI will contact all customers directly to arrange an upgrade. You’ll be contacted December 2016 through to February 2017, depending which server you’re on. Customers on our “Premium” & “Dedicated” hosting packages will be upgraded first, then those on our “Standard” hosting packages will follow. (This is due to our “Standard” servers requiring a software upgrade and it’s not sensible to do that during peak trade at Christmas.)
What should I do now?
For now, just sit tight. If your website is affected, BFI will be in touch when your website can be changed and you’ll be able to order the upgrade for your site. For most sites a basic certificate will cost £49/year + VAT and it’ll cost around £170 + VAT to implement.
There are a lot of websites to upgrade and not a lot of time, so upgrades will be applied on a first-come-first-served basis. Once contacted we would urge you to book your upgrade quickly (you can pay online) to avoid delay.
The post Google Chrome to warn about non-HTTPS pages appeared first on BFI.
