Historically, web browsers have shown users when their connection to a site is secure. When connections might be thought secure by users, but could expose data to third-parties, as with mixed content, browsers have displayed more prominent warnings.
Insecure sites — those with no SSL / TLS protection— displayed no warning or notification. That’s changing. Some versions of Google’s Chrome browser now display a warning on “insecure” sites, subtly but significantly changing the way that users perceive the security or otherwise of a web site.
Over the last couple of years, Google and other organizations have stressed the benefits of HTTPS Everywhere. Google announced a couple of years ago that its browser would begin to display a warning for non-encrypted connections. This year, those warnings have started to roll out. At the time of writing, they are relatively low-key address bar notifications. But in the coming months, Google intends to increase their visibility so that it will be hard for users to miss.
The browser warnings aren’t the only mechanism Google uses to influence site owners to move towards blanket adoption of HTTPS. Sites that offer HTTPS are also given a boost in search engine results relative to sites that only offer HTTP connections.
The changes to the way browsers display warnings makes intuitive sense. The earlier consensus was to display no security information at all if a connection wasn’t HTTPS-enabled. The lack of any indication that a site was secure is the only way a user could know that it wasn’t. Making the HTTPS status of sites clearly visible to users seems the most sensible option.
SSL / TLS used to be complex to set up, and most sites didn’t offer that protection. Because unprotected HTTP connections were the norm, it didn’t make much sense to make a fuss about sites that offered the same level of protection as their peers. HTTPS adoption has skyrocketed over the last couple of years. Organizations like Let’s Encrypt make it easy to offer HTTPS connections. The “standard” has moved from HTTP to HTTPS, which makes indication the “insecure” status of a site more reasonable.
If you’re a site owner who hasn’t previously considered implementing SSL protection, how does this sort of pressure change your view? I’ve talked to a lot of site owners who simply don’t see the point. Their blog or lead generation site doesn’t allow users to log-in. All users can do is download the page and display it in their browser. However low the overhead of implementing SSL now is, some site owners don’t want the hassle. Perhaps they are using older content management systems or web servers that make implementing SSL challenging. Or they are using their domain in ways that make the free, simple to deploy SSL solutions non-viable.
Personally, I think HTTPS Everywhere is a noble goal. For even the simplest site, an encrypted connection to a server with a validated identity is beneficial. I’d be interested to hear if any site owners out there disagree.