As of today, the 24th of July, if your webpage is not using HTTPS Google Chrome will mark your website as ‘Not Secure’. Think about that for a moment. The first time a potential customer visits your website and right at the top of the browser they are met with a message that says your site is not secure.
Why are Google doing this? The reason is to try and make it the norm that the traffic between your website and the user is encrypted. This helps maintain the integrity of the data that is displayed to your potential customers.
If you’re website is not forcing users to HTTPS connections, then you are not alone. There are plenty of popular websites that still don’t do this, take a look at the most popular websites that do not force users to use HTTPS in the UK - https://whynohttps.com/country/gb
But just because some of these big names aren’t doing it, that doesn’t mean you shouldn’t.
Even if your website redirects to an HTTPS page when sensitive information is required from the user, this still isn’t enough. An attacker can easily change the link on the HTTP page to redirect wherever they want.
Since 2016 Certificate Authority Let’s Encrypt has been offering free certificates to allow websites to use HTTPS. There is no cost to help secure the traffic between your website and its users.
Just because a website is using HTTPS doesn’t mean that it is legitimate, a hacker may well use a HTTPS certificate on a phishing website to make it look more believable, but that is no reason not to make sure that your website is also using HTTPS. All websites should be using HTTPS to help protect users, not only this but Google also downrank non HTTPS websites in their search results. So if you want to help secure users and get better SEO, then make sure all of your web content is served over HTTPS.
For more advice on https, contact [email protected]
Gerry Grant, Chief Ethical Hacker
Written on 24 July 2018