The HTTPocalypse was Postponed, But It’s Still On its Way

The HTTPocalypse was Postponed, But It's Still On its Way Google Security & Privacy

Back in July and August of 2017 Google started telling everyone that Chrome would soon start warning users any time they visit a site enter a form on a page that doesn’t use HTTPS encryption.

The deadline was supposed to be in October 2017, but for some unknown reason Google let the deadline lapse with no explanation.

Now they have apparently rescheduled the HTTPocalypse for July 2018.

Edit: Now Google is pushing for sites to use HTTPS site-wide, and not just on pages with forms.

Google announced on Thursday that with the release of Chrome 68 in July, Chrome will start warning users when they visit sites that don't have HTTPS.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:
  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

I had previously posted on this issue last year, and since I have updated that post today I won't repeat what it says, but I do want to reiterate that it's entirely possible for your site to have HTTPS and still not be secure.

Many hosting companies and tech "experts" have published instructions that leave out a critical step in taking a site to HTTPS. They tell you to get an SSL certificate and then change a setting so that your domain starts with HTTPS rather than HTTP, but they forget to tell you that you also need to force all content on a page to use HTTPS.

For example, if you have existing blog posts with images, those images need to be forced to use HTTPS.

Usually this is not a serious issue for WordPress sites; all that is required is to go though the other steps (get an SSL certificate, etc) and then also install a plugin like SSL Insecure Content Fixer (this worked on every site I've tried).

That takes care of about 95% of all WordPress sites; the rest turn out to have a weird quirk that needs to be fixed by hand.

image by Sean MacEntee

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader: He's here to chew bubble gum and fix broken websites, and he is all out of bubble gum. He has been blogging about indie authors since 2010 while learning new tech skills at the drop of a hat. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

6 Comments

  1. Nick Moline11 February, 2018

    The October deadline did come and did hit, many people just misread what was going to happen at that stage. The Oct 2017 point, they started displaying the warning on http pages that have forms when users start typing in the form. Also in Oct 2017 they started displaying the warning on all http pages viewed in incognito mode.

    The July 2018 deadline they will show the warning (though still not red) on all http pages regardless of there are forms or not.

    Reply
    1. Nate Hoffelder11 February, 2018

      Nick, thank you for pointing out my goof; I had actually reported it correctly last year, and then mismembered the details.

      Reply
  2. Robert Nagle11 February, 2018

    Thank you for this information. But let me ask an uncomfortable question: why does a personal blog need a SSL certificate? And what is the harm of a web surfer visiting a personal blog which lacks an SSL certificate?

    Finally, let me ask: which companies stand to benefit financially when site owners obtain SSL certificates?

    Reply
    1. Nate Hoffelder11 February, 2018

      Because Google said so. That’s about it.

      I only just added HTTPS on my Valiant Chicken site in December when I was doing site upgrades, and that should give you an idea of how important I think this is.

      Reply
    2. Jason van Gumster13 February, 2018

      From the perspective of data security through encryption, there is a global benefit. If all traffic is encrypted, then it becomes more difficult to separate “important” encrypted traffic from “unimportant” encrypted traffic. In the current scenario, if you’re looking for network traffic that you know is protected with encryption, you can easily disregard any unencrypted data and narrow your focus on just the packets that are encrypted. With everything encrypted, all data and traffic starts to look the same and it’s more difficult to narrow your search through all that garbage data.

      That said, I still have a few sites that I still need to convert to using HTTPS.

      Reply
      1. Nate Hoffelder13 February, 2018

        herd immunity, basically?

        that works for me

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top
%d bloggers like this: