Upcoming Changes in Web Security Standards

Google Chrome will soon be displaying а “Not secure” message for websites with HTTP login forms.

Background

Do you know what an encrypted connection is used for? And do you know that when you are shopping online or just surfing the web, someone might monitor or even modify the whole data exchanged between your browser and the server? Malicious persons do such things to obtain personal data and commit fraud.

How to stay safe?

Your browser uses HTTP (Hypertext Transfer Protocol) in order to communicate with the web server. Data transmitted during the communication is unprotected and can be intercepted (“tapped”) or modified. There are applications called “sniffers” that enable intercepting data from insecure connections as this most often happens to usernames, passwords or credit card details, bank accounts, personal data, etc.

However, HTTPS was created in 1994. This is a protocol consisting of secure communication over Hypertext Transfer Protocol (HTTP) within an encrypted connection. It ensures protection of the privacy and integrity of the exchanged data. Nowadays this protocol is obligatory for each computer network communication that contains personal data.

What’s new and how to protect your data?

A majority of the internet users are not familiar with the terms “protocol”, “encrypted connection”, etc., so they can hardly ever understand whether their data is secured. For that reason the makers of the most widely used browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, Safari, Opera, etc. aim to make those terms more comprehensible and easy to access. The websites using HTTPS encrypted connection and having an SSL certificate installed usually have a green lock in the browser address bar. This means that the website is secure and the connection is encrypted. If the website uses HTTP, the green lock will not be displayed and when you point or click the icon in front of the URL (i) you will see the “Connection is not secured” notification.

As of January 2017, Google Chrome will notify you more noticeably whether the connection is encrypted.

(source: https://security.googleblog.com)

Which websites will display a warning message?

For the time being this is valid only for websites that require Log-In or payment details. Nowadays a vast number of websites enable user access and / or administering part of the website content which is possible after entering a username and password. All online stores will be affected by this change.

Which websites will still not display a warning message?

If your website does not require a log-in and users do not need to enter personal data, a warning message will not be displayed for the time being. The same goes for websites that have a log-in form, but it is hidden, so that it is not indexed by search engines.

The latest information released says that at a later stage web browsers will start displaying such message for all websites that use HTTP protocol no matter if they use login forms.

It is still not officially confirmed, but there is a high probability for the “Not secure” message to be colored in red and preceded by a red triangle!

(source: https://security.googleblog.com)

Such messages are intended to warn users that visiting a certain website may lead to compromising personal data. It will also mean that a website owner shall migrate from HTTP to HTTPS so that users do not start avoiding the website.

Google Chrome will be the first browser that will display the warnings in a more noticeable way. Other browsers will also start working in this direction as the main goal is to use the HTTP protocol less often and to transfer the entire bandwidth to HTTPS.