HTTP

Google flagged non-HTTPS websites as “Not Secure” - and that’s not a big deal

Google flagged non-HTTPS websites as “Not Secure” - and that’s not a big deal

If you are a tech addict (as I am), you have probably seen a lot of posts, news, and tweets about the new Chrome 68 update and the fact that it enables a new User Interface (UI) change. It flags all non-HTTPS websites (which means websites that are not accessed via HTTPS) as “Not Secure”.

As an Engineer working in networking protocols and optimizations, HTTP is part of my daily routine. That’s why I can’t understand why this new Chrome update was so "controversial". First, because after updating Google Chrome, changes were not so evident. Second, because its already 2018 and HTTPS is so easy to deploy that should be a must-have in all pages and APIs.

So, what changed exactly?

As I told you, changes were minimal. The images below are from the same website: on the left, before the update (still Chrome 67); and on the right, after the update (from Chrome 68).

  

In the end, only two words were added to the grey area: the “Not Secure” label. OK, I know this is probably temporary. The next step, I guess, will probably be a message like the one in the image below, appearing to anyone entering an HTTP website. That would be indeed a noticeable change but for now, not really.

insecure HTTP

But why aren’t we all using HTTPS, yet?

Despite the changes, what really surprises me in this whole question is why the hell HTTPS websites are still not the norm. It is true that some years ago enabling HTTPS was a crazy and expensive experience, but technology evolved a lot ever since. Today, enabling HTTPS is super easy and can be done for free.

By now, everyone should be aware that HTTPS is better than HTTP. Even though, since this is still a topic, let me remind you of at least 5 reasons why there’s no question you should enable HTTPs now.

Reason #1 - HTTPS stands for HTTP secure

Security should be a top priority for all developers, either their product is an API or a website. With HTTPs enabled, the connection is incomparably more secure than HTTP.

Reason #2 - Major vendors punish who does not use HTTPS

This Google Chrome UI update is just another move. During the last years, all major vendors have been deprecating HTTP:

Reason #3 - HTTPs performance is similar to HTTP

HTTPS adds the TLS handshake to HTTP (this handshake is very fast and could not exist if you use TLS 1.3). Even though, believe me, the reason why your network performance is not perfect is not related with HTTPS (Curious? Check our technology, here).

Reason #4 - Everyone trust more in an HTTPS page

People learn that making purchases from a website that is not HTTPS is something bad. If they already have this in their mind, well… HTTP is definitely not good for your business.

Reason #5 - It is free and super easy to deploy

Besides all the reasons above, you can look at the problem from another perspective: why not? If HTTPS is free, easy to deploy and brings another level of security, why the hell are you not using it? If you don’t know how to start, you just have to give a try to LetsEncrypt.

LetsEncrypt is one of these services that provide you a plug and play solution for free SSL certificates allowing you to enable HTTPS. It is easy to deploy in every server and you have excellent documentation to deploy it in any use case.

Smart move from Google

In my opinion, this was not only a smart but also expected move from Google. It was a natural step “moving towards a more secure web”, as Google stated. Gently, Google and other major companies are “forcing” (in the good sense) the use of HTTPS - and I believe it is the correct path to take.

LetsEncrypt, for example, is part of the move. It is supported by the Internet Security Research Group, which has members and advisors from Akamai, Cisco, Google, Mozilla and many others. These major companies have the power to make HTTP deprecated and force the “upgrade” to HTTPS - and that’s exactly what they’re doing.

And, as I mentioned before, there are definitely no plausible reasons to not use HTTPS everywhere:
HTTPS is more secure
HTTPS is an upgrade to HTTP
HTTPS has the same performance as HTTP
HTTPS is easy to deploy
HTTPS is free
HTTPS is easy to manage

What are you waiting for?