This month (July 24, 2018) Google has again attempted to bump up the security on the internet by making marking all HTTP sites as “NOT SECURE”. Are you ready to accept the change?

Many web browser developer companies like Google and Mozilla had been trying to make the internet secure. Google had implemented many features like warning users from non-secure HTTP sites, disabling flash support on ads and scanning downloads. This time, Google has stepped it further by proclaiming all HTTP sites as insecure. This feature is available in the next Chrome release (ver 68). The reason behind this step is to push all web developers to change their websites to HTTPS by implementing SSL.

Why is HTTPS being pushed by chrome?

HTTP is the oldest, and one of the first used protocols for communication. As the connection is not secure, an attacker can eavesdrop and steal information passed through the channel. Due to this vulnerability, HTTPS was introduced. HTTPS encrypts the communication channel between the user and the server. One of the significant features of HTTPS includes blocking ISPs from posting ads on the browser and better performance.

Why should I be concerned?

All the websites using HTTP will soon be lowered down in the google search. Chrome will block your site’s geo-location permission. This step by Google can have a cataphoric impact on your site.

What is the mitigation?

This issue can be fixed by:-

• Installing SSL certificate and migrating your website to HTTPS. If you are using sub-domains, then you must implement the right certification. You can make your site use HTTPS by changing the protocol to HTTPS.

• By using 301 redirects, 301 is the HTTP status code. 301 redirect to the best way to implement redirects on a site.

• By adding your website to the HSTS preload list. HSTS is a web security policy, implemenetd via the header that forces web browsers to use HTTPS channel for communication.

Let’s Encrypt is a certificate authority that provides free certificates for your websites. As it has only 90 days validity, you have to configure auto renewal. The features of Let’s Encrypt includes automatic renewal, superior security, transparent certificates, open standards, cooperative community support and much more. You can also use services like Cloudflare, which provides limited features to a free HTTPS certificate.

<img src=”/images/blog/letsencrypt-home.png” alt=’Let’s Encrypt’>

For any issues related to this problem, feel free to contact us at Appfabs.