At the beginning of August, Google Webmaster Tools began sending notices to users with a warning that “Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.”
Currently, “not secure” warnings only appear on webpages that asked for passwords or credit card fields but this latest step expands those situations to include text input fields such as < input type=”text” > or < input type=”email” >.
In English, this means any sort of form field that asks for plain text or email addresses will trigger that browser warning if the page is loaded using HTTP instead of HTTPS. To give you an idea of just how often those capture fields are used, here are some typical functions where you’ll find them:
- Social sharing via email
- Contact forms
- Registration and application forms
If you want the full geek-speak breakdown, visit this Chromium Blog post from April 2017 which covered these developments.
This is all part of Google’s larger plan to label all HTTP sites as non-secure, which is actually a very good thing but it does present some clear considerations arts organizations would be better off addressing sooner than later.
In order for webpages to load via HTTPS, they need to have an SSL certificate installed.
SSL (Secure Sockets Layer) is what allows a website to create a secure, encrypted connection which it then uses to transmit data. The most common use is connecting a website to a payment gateway provider to process online credit card payments. It’s also common to find when connecting to a database that sends and/or receives a patron’s private information.
The really good news is the cost of SSL certificates has come down quite a bit over the last few years and there are movements underway to make reliable and secure open source certificates available free of charge.
If you need to get a SSL certificate installed, contact your web and/or hosting provider to install one for you.
Alternatively, you can contact a SSL certificate dealer to purchase a certificate for you to install directly (you shouldn’t attempt the latter unless you know what you’re doing). Multiple types of certificates available (single, wildcard, extended, organizational, and more) so be sure to ask about which one will meet your requirements or you may end up spending more than you need.
One quick method is to visit any one of your webpages using HTTPS. For example, if you visit https://artshacker.com, you’ll see a green padlock in the browser bar indicating the site is secure because it has a SSL certificate installed.
There are also a multitude of online services that verify if a valid SSL certificate is installed, such as SSLshopper.com, just keep in mind most of these providers exist to sell some sort of SSL related product or service so keep that in mind when using their service. Having said that, many do an excellent job at verifying SSL status; here’s an example of a validation result for artshacker.com.
If you already have a SSL certificate up and running at your site (and it’s being applied to all content), you’re good to go. If you don’t have a SSL certificate, be prepared for site visitors using Chrome (which is probably the majority of your visitors) to either reach out expressing concern or simply avoiding your site.
In the end, you will end up needing a SSL certificate for your website even if you don’t have any forms or data capture fields. Over the next year, you can bet that Google is going to continue expanding the conditions that trigger alerts but make them increasingly severe until any site not running SSL produces the Your connection is not private screen of shame.
The smart move is to get one up and running now as a preemptive measure instead of reacting to it down the road.