Update On Chrome's HTTPS Requirement: Firefox Takes The Lead!

Update On Chrome’s HTTPS Requirement: Firefox Takes The Lead!

A few weeks ago, we published a blog post on HTTPS, and Google Chrome’s plan to start displaying warnings on their browser when users enter information into a form on a website that is not running under a Secure HTTPS SSL Certificate.

Google notified website owners of this important change via Google Search Console and through a series of e-mails to webmasters. Many businesses were scrambling to get their websites converted to HTTPS – a development task that could take many hours, depending on the size of the website being converted.

Back Up. What is HTTPS Again?

In technical terms, HTTPS (HTTP over SSL) is the use of Secure Socket Layer (SSL) as a sublayer under regular HTTP application layering.

In other words, HTTPS is a secure connection between a website and your computer. Information passed between your computer and a website running under HTTPS is encrypted before it is sent, and information coming from the website to your computer is encrypted as well. On a HTTP connection, information is not encrypted.

This is important, because if the connection between your computer and a website is interrupted, or somehow picked up by a third party, sensitive information could be viewed by the person or software application looking in. Putting your name, e-mail address, phone number, credit card numbers, password, and other information into a non-HTTPS website could, potentially, put you at risk for identity theft.

IP With Ease has a few graphics that make the distinction more clear:

HTTP Vs HTTPS

Google’s Deadline: “October”

Google wasn’t incredibly clear when the “HTTPS doomsday” would hit, but they did reference a few different dates for HTTP treatment. This isn’t new news – Google has been telling business owners since September of 2016 that this change was inevitable.

Now that October is here, the staff at Iceberg Web Design has been monitoring non-HTTPS web pages to see if we can highlight the changes. Surprisingly, Firefox seems to be ahead of Chrome with their non-secure warnings!

Current Behavior: Google Chrome

Published on October 9, 2017 – current/most recent Google Chrome version on macOS Sierra is 61.0.3163.100

When visiting a website running under http:// with a contact form, the Google Chrome browser’s address bar prominently displays “Not Secure”. This is the same behavior that Chrome was exhibiting in September.

Google Chrome Address Bar on Chrome - October 9, 2017

We anticipate this warning will change in the coming weeks, as Google indicated this on their blog post from September 2016:

Eventual Treatment of all HTTP pages in Chrome

 

Current Behavior: FireFox

Published on October 9, 2017 – current/most recent Firefox version on macOS Sierra is 56.0

Interestingly, FireFox has actually taken a firmer approach to HTTPS than Chrome has. When visiting a website running under http:// with a contact form, Firefox’s browser address looks like this:

Firefox Address Bar - October 9, 2017

A little bit more noticeable than Chrome’s warning, we think. Firefox takes this one step farther: when entering a password into a password form on a non-HTTPS website, there is an AJAX pop-up warning the website visitor that their connection is not secure. Here is a visual of what that looks like:

Firefox - page not secure warning

Current Behavior: Safari

As far as we can tell, there are no indications on Safari that a website running under HTTP is not secure.

 

Now What?

It seems the Internet is still slowly catching on to Google’s requirement. Most well-known brands moved their websites to HTTPS early in 2017, if not even before (Facebook moved to HTTPS way back in 2013). But not all large websites have made the switch – IMDb, for example, is still just running under HTTP. We speculate that the reason they haven’t yet made the switch is because they have such a massive website, pulling in a lot of ads and media files. For a website to function entirely under HTTPS, all embedded media must, in turn, be hosted under HTTPS.

Questions About HTTPS?

Some of this is pretty technical. We’re happy to answer any questions you have – just drop us a line to support @ icebergwebdesign.com, or give us a call at 763-350-8762.

About the author

Jessi Gurr is the Master Penguin at Iceberg Web Design. She is an entrepreneur at heart, and loves all aspects of business growth, branding, and team building. Jessi frequently speaks at WordCamps throughout the US and internationally, and holds positions on the board at the Anoka Area Chamber of Commerce and Montessori Renaissance Academy, both in Anoka, MN. In her spare time, she enjoys vegan cooking, organic gardening, and spending time with her two young boys.