Chrome recently posted a blog post on pushing security on the web. We know that Google has been promoting secure or HTTPS websites for quite some time. Google has been using HTTPS or secure websites with encrypted connections as part of its ranking for quite some time. Well, know Chrome, a Google product, is pushing the secure web even further. And this as one of the most dominant browsers on the web.
What does this mean?
I have seen quite a bit of confusion on the web over what they will enforce though. Partly this is good old fashioned clickbait. It is simple easier to make tasty headlines than more general ones and then getting into the specifics. And partly because the scanned the article and did not read it well. Let me explain what they stated.
As Google, the company behind Chrome stated on their blog: “starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature”. So this means Chrome will push secure websites even further starting January 2017. Therefore pretty much all websites that are running a CMS will have warnings on their login pages where a username and password will be entered. CMS such as my beloved WordPress.
E-Commerce and Security
It will also mean that all e-commerce websites, such as Magento, osCommerce, and WordPress with WooCommerce will display non secure site warnings on checkout pages where a user has to enter credit card data. Fortunately most of the e-commerce have secure pages for dealing with Stripe and such. However, quite a few e-commerce sites out there still do not because they deal with payments themselves. Or they use payment gateways that still allow non secure connections. So better get your own SSL Certificate soon!
CMS & Security
For WordPress, an open source CMS and my favorite CMS, but also for all other CMS,this means that all login pages will have to be secure eventually. Forms demanding CC data or payment data will have to be secure initially, but others asking for private data will be next. And this basically means that you will be needed an SSL certificate. This to make connections to your website for end users safe using end to end encryption. Most hosters do provide the option to get an SSL certificate for your domain. Contact them and ask about it. Using Let’s Encrypt this does not have to cost you a thing. Some hosters have Let’s Encrypt SSL certificates built in like my favorite hoster Dreamhost .
When you are using Chrome in Incognito mode or anonymous mode Chrome will warn you on all non secure websites that the connection is not secure. This makes sense as you are surfing the web this way and do not want to be tracked let alone snooped on. Most end users and customers do not use this mode though. So most non secure sites that do not deal with payments or do not even use a CMS should not have them panic seeing this warning.
Let’s Encrypt is an organization that provides free SSL Certificates. With an SSL certificate your site becomes secure creating a secure way to connect to and identify your website. So see that you can get one or better yet, see that your hoster can help you with getting one of this free certificates.
Further reading: Moving towards a more secure web (Original Google Blog article)