It's Time To Upgrade to HTTPS as the Web is Moving to "Secure Communication by Default"
If you haven’t upgraded your site to HTTPS yet, take note. By the time Chrome 62 will be launched in just a few weeks’ time, Chrome will mark all HTTP sites with any input fields as insecure.
The internet as we know it is moving rapidly towards a “secure communication by default” era where all traffic will be served over HTTPS. In a recent post by Troy Hunt, he highlighted how much harder things are about to get for website owners who don’t upgrade to HTTPS. This is in large part due to Google Chrome’s not secure messages that are already displayed on sites that are not using HTTPS when users enter passwords or credit card information.
HTTPS has seen mass adoption in the last few months. Let’s Encrypt, the global certificate authority (CA) that offers free certificates to sites in order to implement HTTPS, recently published a graph showing the phenomenal growth in Let’s Encrypt certificates since 2016.
In June 2017, Let’s Encrypt reported that they’ve issued 100 million certificates in only 19 months. It’s a staggering figure if you consider that in the 20 years before Let’s Encrypt launched, only 40% of all page views that were served over the internet were encrypted, and in the 19 months since Let’s Encrypt launched, that number has shot up to almost 58%
Driving factors for the growth towards HTTPS by default can be attributed to the four punch combo that consists of Let’s Encrypt's free SSL certificate, Google's push towards HTTPS by warning users of insecure (HTTP) sites, Firefox's warning messages on insecure sites and the slight SEO boost that Google gives to HTTPS sites.
Google’s push towards HTTPS encryption by default became known way back in 2014 when they first announced HTTPS as an SEO ranking signal. Since then, Google has started using Chrome as leverage towards the HTTPS drive.
Since Chrome 56, users entering passwords or credit card information on HTTP sites already get not secure messages. By the time Chrome 62 will be launched in a few weeks’ time, Chrome will mark all HTTP sites with any input fields as insecure. Simply put: if you visit any website in Chrome 62 onwards and input any data in a text field, Chrome will warn you that the site is insecure.
Ultimately, Google’s objective is to mark all HTTP sites as insecure with a prominent exclamation mark in a red triangle, and the Google Chrome 62 update is merely an incremental update to get there.
Firefox has also joined the cause, with warning messages being displayed on all versions since Firefox 52 if a user enters a password on an insecure site.
Given that Chrome has 62.4% market share and Firefox has a market share of 7.8% (as of June 2017), feel free to resist upgrading to HTTPS at your own peril.
While some people feel that Google is stepping out of their lane, this is a push towards a better internet for all, and certainly, one that we should all support. Google might be the loudest voice in the fight to securing the web, but it's certainly not alone. Let's Encrypt and Firefox has been very active and instrumental in the HTTPS growth to date.
If you're not sure why you need HTTPS, think of HTTPS as a secure tunnel in which all communications between your browser and an HTTPS enabled site are secure and encrypted. This means you’re protected from governments or ISPs spying on you - even if you’re using public networks or WIFI. HTTPS protects the privacy of users, whilst making sites more secure and harder to hack.
With Google's hard stance towards HTTP as an insecure transport protocol and the advent of free SSL certificates being made available by Let's Encrypt, we're seeing a revolution taking place. Everyone's adopting HTTPS and it's all happening very fast. We can certainly expect mass adoption of HTTPS to continue in the next few months until the majority of sites will inevitably serve traffic over HTTPS in the near future.
Upgrade Your Site to HTTPS with Free Let's Encrypt Certificates
Historically, HTTPS certificates were expensive to buy, and the cost had to be paid on an annual basis. That all changed when Let’s Encrypt, a nonprofit organization, launched in April 2016 with the purpose of offering free SSL/TLS certificates.
If your site is not using HTTPS yet, now is the time to upgrade.