Back in April, Google told us that it would be displaying ‘Not Secure’ warnings in all input fields (login, contact forms, search boxes etc.)  rather than just password fields as it has been doing for some time now starting in Google Chrome version 62, and well, that time has come and other browsers are following too.

Chrome Not Secure Warning

The ‘Not Secure’ warning refers to the lack of an SSL/TLS certificate installed on the websites server. An SSL/TLS certificate installed on the server and ensuring that people access your website via HTTPS:// rather than HTTP:// in their URL bar means that all of the data that is transferred between the visitor and your website is encrypted which means that only you and the website will be able to decrypt that information and it is useless to anybody else. Once the server is configured properly this all happens behind the scenes with no noticeable effect to the website owner.

Without an SSL certificate, the pages on your website that people visit, the data that they download, the input they put in to the website that might include sensitive information such as name, address, password, credit card information etc. is not encrypted. Because it is not encrypted, other people on your network, the manager of the network (particularly problematic in public wifi areas), other 3rd-party services embedded in to the website, your internet service provider and all of the steps it takes to reach the server on it’s journey could all take a look at that data in transit.

Criminals or anybody else with an interest in snooping can use this to their advantage by sniffing for this data on unsecured wifi or at other stops across the network. They can also hijack unencrypted data, common tactics for stealing data include altering where login forms post their data to or embedding viruses in to web pages. These are known as man-in-the-middle (MITM) attacks.

Maybe you think this is important (you’re right!), maybe you don’t, but one thing is for certain is that your users will be turned away by their browser telling them your website is not secure! Google also reportedly uses the presence of an SSL/TLS certificate as a light ranking signal when determining a websites ranking.

Chrome Not Secure Warning


Getting secure

You will probably recognise the sign of a SSL/TLS secured website, the (usually) green padlock next to the web address that tells you that your connection is secure. This doesn’t necessarily mean that the website is safe, there are no prerequisites to getting a standard SSL/TLS certificate so a scam website or otherwise insecure company could have one to, but what it does tell you is that everything between you and the URL you are visiting is being sent securely.

There was a time that SSL certificates were a bit of a slog. They cost money, had to be renewed manually and usually required their own IP address. Gone are those days, at Amazorize we use Let’sEncrypt, a new open-source certificate authority supported by Google Chrome, Mozilla, Facebook, Cisco, Automattic (the company behind WordPress) among many other big names. Let’sEncrypt offers generates free, automated SSL certificates and getting secure has never been easier.


Further reading

Next steps toward more connection security – Chromium Blog

The 6-Step “Happy Path” to HTTPS – Troy Hunt