Millions of websites using HTTP may be labelled “Not Secure” with July Google Chrome update
July 2018 by DigiCert Inc.
DigiCert Inc. is providing industry guidance that millions of websites are not encrypted by default and may receive security warnings for visitors using Google Chrome browsers once Chrome 68 stable updates go live on July 23.
With the release of the Google Chrome 68 browser, any web page not running HTTPS with a valid TLS certificate will show a “Not Secure” warning in the Chrome address bar. This warning will apply to internet-facing websites and potentially millions of corporate/private intranet sites accessed through Chrome, which has about 60 percent market share, according to publicly available data.
Chrome released HTTPS conversion tools and data earlier this year that indicated that up to 78 percent of Chrome traffic is encrypted. Internal DigiCert research found that 43 percent of the Alexa 1 million sites used HTTPS by default, while a W3Techs June 2018 survey reported that HTTPS is the default protocol for 35 percent of the top 10 million websites. This leads to the conclusion that many smaller and less-trafficked sites may still rely on HTTP.
“The Chrome 68 update will hopefully spur the millions of sites still using HTTP to adopt HTTPS. The data shows that while the web has made tremendous strides toward greater user security, there are still many sites that need to catch up to avoid the ‘Not Secure’ warnings,” says DigiCert Chief Product Officer Jeremy Rowley. “We urge IT administrators to check the sites they look after and deploy the appropriate TLS certificates.”
“The advent of encryption everywhere is a positive development for user security,” explains Rowley, “We support Google’s action to promote HTTPS use by default and want to make sure website administrators are aware of the coming changes and have resources to make the necessary changes to their web server operations.”
“In some instances, administrators may believe they don’t need certificates on all pages, but incorrect configuration and deployment will still lead to warnings within Chrome,” Rowley adds.
Avoiding warnings is important. According to a 2018 “Internal Website Security Seal Study” by Ipsos Group S.A, 87 percent of internet users will not complete a transaction if they see a browser warning on a web page. While 58 percent of respondents go to a competitor’s website to complete their purchase.
“There are a number of options that website administrators can use to quickly enable HTTPS on their website, ahead of the deadline,” says Rowley. “Besides encryption and authentication of website traffic, digital certificates can boost SEO rankings, reduce bounce rates, and help minimise abandoned shopping carts.”
For concerned website administrators and security teams, DigiCert offers free tools, the Certificate Utility for Windows and DigiCert SSL Tools designed for administrators that use TLS certificates for websites and servers or code signing certificates for trusted software. The freely downloadable tools feature automatic CSR creation and TLS certificate installation along with root certificates, intermediate certificates and private key management.
DigiCert has also launched a free guide on certificate management to help administrators stay up-to-date on best practices and reduce the chances of a certificate being neglected or mismanaged.
“Although Google Chrome is the first browser to deploy such a visible warning system on non-HTTPS websites, this direction will likely be followed by others such as Microsoft, Apple and Mozilla,” says Rowley. “HTTP 2.0 requires TLS encryption in major browsers. As the major browsers migrate to the newer technology, websites will find certificate deployment becoming increasingly important.”