Google have started emailing webmasters to let them know about their plan for all web traffic to be delivered through an encrypted channel. This means delivering all web pages via HTTPS rather than HTTP.
They are modifying their Google Chrome browser and have already made some changes earlier in the year. If a form delivered by standard text (HTTP) has a credit card or password field then Chrome already flags up in the address bar that it is ‘NOT SECURE’.
The next step comes in October 2017 with the release of Chrome 62, although the exact date of the release has not been announced. In version 62, Chrome will treat all form fields not delivered via HTTPS with the same warning regardless of the input type. So, a form with a message box or a survey form on a normal standard HTTP website page will show the ‘NOT SECURE’ warning in the browser address bar as you start typing into the text box. So basically, all websites that have any type of form will have to be delivered by HTTPS. This means all websites that accept user input (i.e. are not read only) will require a valid secure certificate to enable encryption.
However, delivering pages via HTTPS means that the server has to encrypt them before sending and the browser has to decrypt them on receipt, adding additional processing time to the page loading experience for the user. You get a slower experience but your interaction with the page is private from snoopers.
Website developers can decide which pages need to be delivered encrypted via HTTPS and at the moment most do that already for any forms that have credit card or other personal, financial or health details. What Google aims to do, is to put pressure on website owners to ensure that all online data entry gets encrypted whilst in transit, putting security before speed. You can read more on the Chromium Blog, Next Steps Towards More Connection Security.
To be honest, that is fine with me. I would rather be safe than sorry when entering any details into a web form and I think other browsers manufacturer’s should follow suit. Perhaps they should stop with encrypting form data as the next step for Google in a future release of Chrome is for websites to encrypt all page traffic regardless of content or suffer the same ‘NOT SECURE’ warning. Who knows what their next step will be after that, perhaps the warnings of today will turn into page or whole website blockages of the future. Before you know it, websites that are not using TLS (transport level security) will have the browser show some sort of ugly message saying this dodgy website has been blocked.
I could imagine the warning message, something like…
SECURITY WARNING! This website wants you to be unprotected and encourages cybercrime!
The owner of this website thinks you are dumb enough to be their next online victim. If you still want to visit this criminals website then click here and await your fate!
However, it should be noted that Google are not responsible for your actions so don’t blame Google when your bank account is emptied, you get kidnapped for ransom and the countries economy collapses!
You have been warned!
If you take security seriously, then click here to view some great online offers from our security partners or click here to do a ‘secure site only’ Google search.
Joking aside, what should you do next if you own or operate a website? You should purchase and install a secure certificate if your website has any form controls in it at all (even a simple contact form). You might also want to do that just to future-proof your site against Google’s next changes.