From October 2017, Chrome will show a 'NOT SECURE' warning on any HTTP page containing a text form
Google are currently on something of a crusade. They want their users to feel totally secure as they browse the web, and so they've been doing their best to force website owners to take user security more seriously. Google Chrome already shows a 'Not secure' warning on non-HTTPS pages that collect sensitive data; for instance, checkout pages and login screens must be served over a HTTPS connection in order to ensure that card details, passwords, and other sensitive details are encrypted. If you're asking users to enter that sort of information on a HTTP page, Chrome will flag up the risk with a notice like this:
As things stand, that 'Not secure' warning is only shown on pages where a user is explicitly asked to enter 'sensitive' data, such as:
- Passwords
- Credit / debit card details
However, Google have now announced a major change that could cause a lot of problems for website owners. As of October 2017, the 'Not secure' warning will appear on EVERY non-HTTPS page that contains a text input form, regardless of the form's purpose.
This means that, from October onwards, the following pages will need to be secured with a SSL certificate:
- Any page with a search bar
- Any page with a contact / enquiry form
- Any page with a newsletter signup form
Basically, if your page contains ANY element that allows the user to enter and submit some sort of information - whether it's their credit card number, their email address, or the name of the product they're looking to buy from your website - then you'll need to get that page secured with an SSL certificate by October.
With this change looming on the horizon, a lot of website owners will need to think very seriously about implementing HTTPS across all pages if they have not already done so. For instance, it's quite common for ecommerce sites to use HTTPS on their login/register and checkout pages while serving all other pages over an unsecured HTTP connection, but once this Chrome update takes effect, the people who visit those websites will start seeing 'Not secure' messages everywhere they click.
And those two little words will often be enough to put off potential customers and send them running to a fully-secured competitor instead.
What do I need to do?
If you are currently serving text input forms over an HTTP connection, you will need to purchase an SSL certificate and install it on the server where your website is hosted. You will then need to update things like canonical tags and internal links so that they point to your website's new URL (beginning with https:// rather than http://). You will also need to ensure that the proper redirects are in place so that anyone trying to access the HTTP version of your website is automatically sent to the secure HTTPS version.
If that to-do list seems a little intimidating, don't worry - all you really have to do is ask your website developer to make the necessary changes for you. They will know how to install the SSL certificate and update everything
Do I need to switch to HTTPS if my website doesn't contain any forms?
Perhaps you've been reading this and thinking 'this doesn't concern me - I don't have any search bars, contact forms or anything like that on my website, so I must be safe'.
If so, we have some bad news for you. Google have made it quite clear that the October update will merely be the latest step towards their ultimate goal, which is to mark ALL HTTP pages as 'Not secure'.
This week, Google sent out an email to webmasters warning them of the imminent expansion of the 'Not secure' message. That email included the following ominous statement:
"The new warning is part of a long term plan to mark all pages served over HTTP as 'not secure'."
So while your unsecured website may survive the update in October, you won't be able to escape that 'Not secure' shame notice forever. And given that users are increasingly expecting to see that little green padlock at the top of their screens no matter what they're doing online, it's probably a good idea to get that SSL certificate and upgrade to HTTPS sooner rather than later.
Further Reading: Why Convert Your Website to HTTPS?