Google began sending out notices to site owners this month, reminding those who haven’t yet migrated from HTTP to HTTPS that in October their sites will be marked “NOT SECURE.”
The warnings are directed to owners of HTTP pages that contain forms, specifically sites that include text input fields like <input type=”text”> or <input type=”email”>.
The messages reiterate the fact that with version 62 of the company’s Chrome browser, slated for stable release on or around October 24, Google will require websites with any kind of text input to have a SSL certificate. That is if site owners don’t want their visitors to see the “NOT SECURE” warning pop up in their browser’s omnibox.
The emails don’t come as a complete surprise; they follow up an announcement Emily Schechter, a member of Chrome’s Security Team, first made in April.
Site owners say they’ve received automated emails over the last few weeks via Google Search Console, a free service offered by Google designed to help website owners monitor and maintain their relationship with Google Search.
The notices confirm that users who navigate to HTTP pages in Incognito mode – a feature that can often trick users into thinking they’re safer than they are – will also display the warning.
While the change will affect any site in which users can enter data, like sensitive banking credentials and passwords, web security experts warn that any form of text input, including contact forms, search bars, and login panels, could make HTTP sites more difficult to reach in October.
Tony Perez, co-founder and CEO at Sucuri, a firm that offers website security solutions, said Monday the changes make sense from Google’s standpoint. He added, if admins haven’t already they should ensure SSL is implemented on their site. Furthermore, admins should ensure they force HTTPS so users don’t accidentally stumble onto the non-encrypted version of their site and trigger the warning.
Google first began flashing “NOT SECURE” warnings to users back in January with Chrome 56. Eventually the company plans to brand all HTTP pages, not just ones with text input as non-secure with a red triangle—the same icon Google uses for pages that use broken HTTPS.
HTTPS traffic hit a big milestone back in February when a two-week survey of telemetry data from Mozilla’s Firefox browser showed 50 percent of page loads used the protocol but it’s still proving to be an uphill battle for service providers and website owners alike.
Let’s Encrypt, a certificate authority that’s been leading the charge for the web getting to 100 percent HTTPS usage, said earlier this summer it would begin offering wildcard certificates – certs that webmasters can use with multiple subdomains of a domain – in 2018. The CA said it hopes the planned change will give HTTPS page loads a boost.