Google continues to force users to move their websites under SSL certificates. To improve security or to get more money from paid ones? That's not the point, as in any way setting up SSL for your website is definitely a good idea. It's not just about a green bar to the left of your address & search bar, but also one of the necessary security measures to be sure that your data won't be stolen by anyone.
The beginning of HTTPS era
Around 3 years ago, Google's search engine started to give some so-called "search privileges" for websites with an enabled HTTPS connection. In other words, your search results are more likely to show websites with SSL certificates. Besides that, they were more likely to be at the top of it.
As they said: "Over the past few months we’ve been running tests taking into account whether sites use secure and encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now, it's only a very lightweight signal - affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content..." You can read about this in their blog.
HTTP / HTTPS policy nowadays
And here comes a rumble! Starting from July 2018, Google Chrome marked all non-HTTPS websites as insecure, just like they planned in September 2016.
Starting with Chrome 68, when you visit a website that uses old, boring, insecure and just really not interesting HTTP connection, your Google Chrome browser will show "Not secure" message to the left of your search & address bar.
"Chrome's new interface will help users understand that all HTTP sites are not secure. We'll continue to move the web toward a secure HTTPS web by default." - Google explained.
On the picture above you can see how users will be alerted.
SSL certificates that are no more in Google's disgrace
More than that beginning from Chrome 66, which Google released in April 2018, when entering the sites with Symantec certificates issued before June 1st, 2016 and after December 1st, 2017 (and also if they are used as root ones - such certificates were issued by Thawte, GeoTrust, and RapidSSL), Chrome will show a warning about an insecure connection.
And beginning from Chrome 70, released in November this year, all Symantec certificates will get in Google's disgrace. Mozilla corporation will add the same behavior to Firefox starting from version 60 (released in May 2018).
Good to know
Based on the information from StatCounter Chrome browser holds ~56% of the global browser market across all mobile and desktop platforms. So those websites, which will get under Google's "Not securе" label, will be in kind of trouble. Why? Because a great army of Chrome users very likely will notice that. It's hard to earn trust and confidence, but it's very easy to lose, especially when one of the biggest world conglomerates says that users cannot trust your website anymore. :(
By the way, according to Google statistics: 81 of 100 top websites use HTTPS by default; over 68% of Chrome traffic on Android and Windows occurs over HTTPS; over 78% of Chrome traffic on Chrome OS and macOS and iOS surf the net securely.
If your website is still working without an SSL certificate you should think about getting one and installing it! And you should do that quickly if you don't want to lose a majority of network traffic. By the way, in one of our previous posts, we shared an Ansible playbook for a fully automated setup of a free Let'sEncrypt certificate on your website. Go check it out!
We have also developed a script for the automated update of LetsEncrypt SSL. It will automatically trigger the updates process when the cert is going to expire. Contact us if you're wondering how it works or if you just want to use it!
Cut your Kubernetes cloud bill with these 5 hacks for smarter scaling and resource tuning
PostgreSQL blends relational and NoSQL for modern app needs
Mutable vs immutable infra key perks drawbacks and Terraform hacks