Back in July and August of 2017 Google started telling everyone that Chrome would soon start warning users any time they
visit a site enter a form on a page that doesn’t use HTTPS encryption. The deadline was supposed to be in October 2017, but for some unknown reason Google let the deadline lapse with no explanation. Now they have apparently rescheduled the HTTPocalypse for July 2018.
Edit: Now Google is pushing for sites to use HTTPS site-wide, and not just on pages with forms.
Google announced on Thursday that with the release of Chrome 68 in July, Chrome will start warning users when they visit sites that don’t have HTTPS.
For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 sites on the web use HTTPS by default
I had previously posted on this issue last year, and since I have updated that post today I won’t repeat what it says, but I do want to reiterate that it’s entirely possible for your site to have HTTPS and still not be secure.
Many hosting companies and tech “experts” have published instructions that leave out a critical step in taking a site to HTTPS. They tell you to get an SSL certificate and then change a setting so that your domain starts with HTTPS rather than HTTP, but they forget to tell you that you also need to force all content on a page to use HTTPS.
For example, if you have existing blog posts with images, those images need to be forced to use HTTPS.
Usually this is not a serious issue for WordPress sites; all that is required is to go though the other steps (get an SSL certificate, etc) and then also install a plugin like SSL Insecure Content Fixer (this worked on every site I’ve tried).
That takes care of about 95% of all WordPress sites; the rest turn out to have a weird quirk that needs to be fixed by hand.
image by Sean MacEntee