From January 2017, both Mozilla’s Firefox browser and Google’s Chrome browser started marking http web pages that collect passwords or credit card information as ‘Not Secure’ in the address bar.
Recent studies show that the absence of a ‘secure’ icon in a browser is not enough to warn people off potentially unsafe sites, and Google and Mozilla both have long term plans to mark all http website pages as non-secure; regardless of whether the page contains sensitive input fields.
Over half of the web pages served through Google’s Chrome browser on desktops are now running under https and more sites move away from http every day. It’s understood that 34.1% of all websites having valid SSL encryption, up from 14.4% two years ago.
What’s the difference between http:// and https://?
A website url which begins https:// in the browser address bar will show a green padlock and secure message. To achieve this the website will be using SSL encryption. “SSL” stands for secure sockets layer and provides protection for the data shared between the web server and the browser.
Without SSL encryption any data shared on your website is insecurely passed between the web server and browser, and has the potential to be intercepted. Where sensitive site data, such as card payments are being passed, SSL encryption is crucial and it’s important to note that all card processing services integrated with Create’s checkout already use SSL. This ensures the card details entered by your customers will always be encrypted.
Is my website affected by the browser update?
If your website doesn’t have full SSL encryption, this update means that your visitors will see the ‘Not Secure’ message when visiting any page which asks for card details or passwords.
If your website is specifically with Create, your visitors will see the ‘Not Secure’ message on their Chrome and Firefox browsers when visiting any of the following pages/content:
- Customer Accounts Login for accessing order information
- Website Users Login for accessing password protected content
- Pages which have the User Account Login side column enabled
- Forgotten password page from user/customer accounts login
- Google may detect if you’ve made a custom form which has a password field for your visitor to complete (not recommended
- Any third party content you’ve added which asks for card details or provides a user login and password.
If you use any of the above we’d recommend moving to full SSL encryption, as over the coming year we expect further, more stringent treatment of http pages to occur in Firefox’s updates and Google’s future Chrome releases.
What will Chrome and Firefox target next?
It’s most likely that pages which contain contact forms asking for personal details and checkout areas will be next to be targeted, and as Google has already stated they plan to switch the browser message from the current neutral state to a red warning.
Firefox plans to include a warning next to the password box for any login on an unsecured http page, and to move from the current neutral insecure message to a struck through padlock icon. Google’s next step is to continue to extend http warnings (for example, by labelling http pages as ‘not secure’ when users undertake private browsing in ‘Incognito mode’.
Moving your site to https now ensures you’ll benefit from improved Google search ranking (against non-SSL sites), increased visitor trust, better sales conversion rates, and you’ll be providing a secure experience for your customers. Plus you won’t need to worry about changing in the future as the warnings begin to have a greater impact.
How can I add SSL encryption to my website?
Like Google and Mozilla we believe that over time all website owners should switch from http:// to https:// to help keep everyone safe on the web, and you’ll now find SSL encryption as standard with all our current packages - ensuring all website owners can easily implement https:// on their website.
Read our guides on how to setup SSL on your website, and encrypting your website with SSL for more information. As always Create users can get in touch with their expert Account Manager who can advice on how this update affects their website.
We’ll cover any updates by Chrome and Firefox on the blog as they happen, so look out for new posts and information around this topic later in the year.