Google Chrome intensifies warnings for insecure HTTP websites

24 October 2017

Google Chrome has increased the warnings shown to users when visiting insecure HTTP websites without an SSL certificate as of version 62. Chrome has been showing such warnings since January 2017 for fields related to passwords, credit card data and the like. In the new version, Chrome shows this warning for any insecure field.

Which warnings were already shown?

Starting from Chrome version 53, the safety indicators were altered to reflect insecure connections. Chrome version 56, released in January 2017, made these safety indicators on HTTP websites more clear. According to Google, these iterations have caused 23% less visitors to enter sensitive data such as passwords and credit card data over an insecure HTTP connection.

Which warnings are shown?

The warnings shown to visitors have been expanded from Chrome version 62, available from October 17. The following has been changed by Google:

• Any forms on insecure HTTP pages will cause an ‘i’ to appear in the browser bar. When a user clicks the button, Chrome will provide an explanation as to why the connection is insecure. As soon as the visitor fills in a field, the ‘i’ icon will expand to the text ‘Not Secure’, discouraging users to enter data there.
• In Chrome’s incognito (private) mode, the ’i’ icon and ‘Not Secure’ warning will be shown on any insecure HTTP page.

Upon clicking the warning button, the following explanation will be shown:

Warnings with insecure FTP traffic

Last month, Google announced the same ‘Not Secure’ warning will be shown from version 63, to be released in December 2017, for insecure FTP connections as well. Originally, warning users for insecure FTP traffic wasn’t part of Google’s plan, but it will be added because the FTP protocol is insecure. FTP, an abbreviation for File Transfer Protocol, is a network protocol originating from 1971. FTP is mostly used for exchanging files between servers and clients. Just like HTTP, FTP can be expanded with SSL using ‘FTPS’. However, the use of FTP is not very common within browsers. As such, Google mentioned they even considered completely dropping support for FTP in Chrome. They officially recommend switching to HTTPS for transferring files in a secure manner.

Why have these changes been made?

Google has been taking a stance for a more safe Internet for a long time. The goal is to achieve a fully encrypted Internet in order to ensure privacy and security for Internet users are warranted by encrypting all websites using HTTPS instead of just banks, webshops and the like. Even if websites only have a simple contact form, they should still make use of an SSL certificate. Google stimulates the usage of HTTPS by implementing it to the fullest extent on its own services, as well as making clear which larger websites use HTTPS. Aside from stimulating the use of HTTPS, Google discourages visiting websites not secured by HTTPS, among others by demoting websites that don’t support HTTPS in the search results.

In 2014, Google forced SSL on its widely used Gmail email service. In the same period, Google announced they would partly base their search results on if a website makes use of an SSL certificate.

How do you prevent errors on your website?

To prevent your websites from getting warnings in Chrome, you’ll need your website to support a secure HTTPS connection. At the moment, Chrome doesn’t care about SSL certificate types, so using a certificate without company details will prevent any warnings from showing up. Given that the SSL certificate has been installed correctly, Google also rewards the usage of HTTPS on your website by ranking your website higher in the search results.

Aside from allowing visitors to visit your website over an encrypted connection, an important function of an SSL certificate is that it allows for authentication. You can find the SSL certificate that suits your website using the Xolphin Certificate Wizard