Since the beginning of this year, Google has been taking steps to make the web a more secure and private place. The first step was a “Not secure” warning on websites that collect passwords and credit cards. Yesterday, on Google’s security blog, they announced the next step that is coming in October 2017 with the release of Chrome 62. The “Not secure” warning will also be on any websites without an SSL certificate where users enter data, plus all website visited in incognito mode.
You can read more about this upcoming security change on Google’s security blog.
The History of the “Not Secure” Warning
In September 2016, Google first announced the “Not secure” warnings would be coming in January 2017 for any sites that require passwords or collect credit card information. We’ve also known for some time that this warning would be extended. When we announced the arrival of Chrome 56 in February 2017, we warned about this next step. Google has been very transparent about the desire to make the internet a more private and secure place.
What Type of Data Entry Will Cause Chrome to Return a “Not Secure” Warning?
When we first predicted the next step, we thought that it would only be limited to entering email addresses on comment forms. Then the final step would be a red warning for all sites that do not have an SSL certificate. It appears our predictions were only partially correct.
On Google’s blog, they write the following:
Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
Any type of data would include the following:
- Search fields;
- All comment boxes: Name, website, email address, and comment;
- Other forms, such as contact forms, forms that capture information for mailing lists, forms to enter a giveways, etc.;
- Anything else that you can think of where the visitor will be typing something on your website and that information is transmitted to your server or any other server that collects the information.
If your website has any of the above, visitors will be greeted with a “Not secure” warning.
Why Is Google Extending the “Not Secure” Warning to All HTTP Sites When Browsing in Incognito Mode?
The reason for this is simple. People use “Incognito Mode” because they want extra privacy. An SSL certificate provide security by creating a secret handshake between the visitor and the server. But, an SSL certificate also provides privacy. It’s true your ISP will still be able to tell which domains you visit. However, once you visit a secured website, your ISP can’t get information on specific pages you visit because your visit is encrypted.
Getting an SSL Certificate to Avoid the “Not Secure” Warning Is Easy
There are still a number of web hosts that are trying to make money off of Google’s push towards a more secure and private web. They insist that you need a dedicated IP address, which they charge for, in order to get an SSL certificate. You do not need a dedicated IP address to get an SSL certificate. Some hosts also charge for an SSL certificate when, most likely, it costs them nothing.
If your host is using WHM/cPanel, then they have free SSL certificates through Comodo. They also have the ability to easily get an extra 100 free SSL certificates through Let’s Encrypt. All they have to do is turn on AutoSSL for Comodo certificates and install the Let’s Encrypt add-on for the extra 100 certificates. If your host refuses to do so, you have a couple of choices:
- Get a free SSL certificate through Let’s Encrypt and install it yourself; or
- Switch to a host that provides SSL certificates upon account creation.
All of Skookum Monkey’s hosting accounts come with free SSL certificates.
I Have a Self-Hosted WordPress Site and I’ve Just Installed an SSL Certificate. Now What?
Updating your self-hosted WordPress site from http to https is simple. Just follow our tutorial.