The HTTPocalypse was Postponed, But It’s Still On its Way

The HTTPocalypse was Postponed, But It's Still On its Way Google Security & Privacy

Back in July and August of 2017 Google started telling everyone that Chrome would soon start warning users any time they visit a site enter a form on a page that doesn’t use HTTPS encryption.

The deadline was supposed to be in October 2017, but for some unknown reason Google let the deadline lapse with no explanation.

Now they have apparently rescheduled the HTTPocalypse for July 2018.

Edit: Now Google is pushing for sites to use HTTPS site-wide, and not just on pages with forms.

Google announced on Thursday that with the release of Chrome 68 in July, Chrome will start warning users when they visit sites that don't have HTTPS.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:
  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

I had previously posted on this issue last year, and since I have updated that post today I won't repeat what it says, but I do want to reiterate that it's entirely possible for your site to have HTTPS and still not be secure.

Many hosting companies and tech "experts" have published instructions that leave out a critical step in taking a site to HTTPS. They tell you to get an SSL certificate and then change a setting so that your domain starts with HTTPS rather than HTTP, but they forget to tell you that you also need to force all content on a page to use HTTPS.

For example, if you have existing blog posts with images, those images need to be forced to use HTTPS.

Usually this is not a serious issue for WordPress sites; all that is required is to go though the other steps (get an SSL certificate, etc) and then also install a plugin like SSL Insecure Content Fixer (this worked on every site I've tried).

That takes care of about 95% of all WordPress sites; the rest turn out to have a weird quirk that needs to be fixed by hand.

image by Sean MacEntee

About Nate Hoffelder (9903 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader:"I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

6 Comments on The HTTPocalypse was Postponed, But It’s Still On its Way

  1. The October deadline did come and did hit, many people just misread what was going to happen at that stage. The Oct 2017 point, they started displaying the warning on http pages that have forms when users start typing in the form. Also in Oct 2017 they started displaying the warning on all http pages viewed in incognito mode.

    The July 2018 deadline they will show the warning (though still not red) on all http pages regardless of there are forms or not.

  2. Thank you for this information. But let me ask an uncomfortable question: why does a personal blog need a SSL certificate? And what is the harm of a web surfer visiting a personal blog which lacks an SSL certificate?

    Finally, let me ask: which companies stand to benefit financially when site owners obtain SSL certificates?

    • Because Google said so. That’s about it.

      I only just added HTTPS on my Valiant Chicken site in December when I was doing site upgrades, and that should give you an idea of how important I think this is.

    • From the perspective of data security through encryption, there is a global benefit. If all traffic is encrypted, then it becomes more difficult to separate “important” encrypted traffic from “unimportant” encrypted traffic. In the current scenario, if you’re looking for network traffic that you know is protected with encryption, you can easily disregard any unencrypted data and narrow your focus on just the packets that are encrypted. With everything encrypted, all data and traffic starts to look the same and it’s more difficult to narrow your search through all that garbage data.

      That said, I still have a few sites that I still need to convert to using HTTPS.

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: