Google has been waging war against the non-secured website for years. In 2016, Google made a pledge to start shaming websites with un-encrypted connections, as way to encourage developers to embrace HTTPS. With Google Chrome 68, the latest version of the popular web browser, Google is following through on its promise. When you visit a website using Google Chrome, version 68 or above, you will now see a “Not Secure” message next to the URL bar if that website does not fully secure your connection.
Their push for HTTPS is not without merit. When a website is secure, any interaction you have with that site is encrypted. If your visits or data are intercepted, the information will be cryptographically impossible to understand. Therefore, the opposite can be said when interacting with a non-secure website. Any information you exchange with an unsecured website can still be intercepted, but the information will be fully readable. In certain scenarios, a man-in-the-middle attack can even be launched, allowing a hacker to pose as a specific site and steal any data you provide.
Visiting a website means you are sending out requests for data from a server that could be anywhere in the world. If you enter any information into that website, say a login name or password, that data will travel through the internet to reach the webserver you are interacting with. An unencrypted website connection means your data is traveling in a readable format.
While not all data has the same level of need for encryption, you should note that the internet is a “wild wild west.” Anything goes, and anything can be used against you. Take internet service providers as an example. They have the easiest access to your internet usage. Any data you allow them to see, a la unsecured websites, they will track and use as they see fit. Some traffic might need to be reported to law enforcement, while other traffic can be sold to advertisers so that they can target specific ads based on your behavior.
No one doubts the need for a secure internet, but critics have been quick to point out that Google is taking a “bullying” approach. “The fact is that they’re forcing it,” says Dave Winer, a web developer, who also wrote a detailed objection in February. “They’re just the tech industry. The web is so much bigger than the tech industry. That’s the arrogance of this.” He’s gone on to state that not all web developers have the capacity or funding to implement HTTPS for all of their modern, live, or legacy websites. “Was this the only way to achieve this end? Because this is draconian. If this were done properly, it would have been deliberated, and a lot of people who aren't in the tech industry would have had a say in it.”
Nevertheless, Google has now forced the entire developer community to prioritize HTTPS on their websites. Whether it was the right approach is a topic for years to come, but it will bring faster implementation in the end. Firefox is said to be joining Google in showing warnings on non-secure websites. Together, they hold 73% of the internet browser market share, which means a lot of people are going to be “warned” that they are visiting a “non-secure” website.
Luckily, for a great number of web developers who manage websites with lower-than-average complexities, implementing HTTPS has never been easier, faster, or less expensive. Let’s Encrypt, for example, has been making HTTPS certificates available for free through their partnerships with popular hosting companies. As of today, Let’s Encrypt is securing over 115 million websites. “Expecting every website to enable HTTPS would have been unreasonable prior to the existence of Let's Encrypt, which lowers financial, technical, and educational barriers to enabling HTTPS,” says Josh Aas, cofounder of Internet Security Research Group, the organization behind Let’s Encrypt. “Our focus on ease of use at scale has been a primary driver behind the incredible growth in HTTPS deployment in recent years.”
For now, Google Chrome is displaying a green padlock with the word “Secure” next to a URL that is encrypting a visitor’s connection. When you visit a non-secure website, you will see a “Not Secure” warning in grey letters in the same location. Come October, however, Google will show the same warning in red letters. “Encryption is something that web users should expect by default,” says Chrome security product manager Emily Schechter. She is one of the pioneers behind Google’s continuous pressure on the development community to secure the internet completely.