Google Chrome will start marking most websites insecure come July

Treatment of HTTP Pages Chrome 68

UPDATE 7-1-18: After quite an uprising on my Twitter post. I have come to realize some of these statemnts are not 100% accurate. I will be marking this page up accordingly to reflect and correct those wrongs. My opinion that this push for HTTPS is misleading, still remains.

Google, in an effort to force websites to obtain SSL certificates, will be marking website connections without them as “insecure” on the Google Chrome browser. But is this true? Are websites without SSL certificates insecure?

What is an SSL Certificate?

In plain terms, an SSL certificate is basically software on a server that encrypts data that is being entered into a website by a user and protectsthe websites data as it bounces through the internet.

So basically, any information you enter into a website such as name, address, credit card information, etc.. is encrypted to prevent this data from being viewed by unauthorized viewers, AKA Hackers.
Websites with SSL installed will have “https:” in their url as opposed to the usual “http:”. 

Most websites that collect credit card, or other important personal data, require an SSL or some form of protection.

What about websites that don’t collect user data?

For websites that do not collect user data at all… An SSL has no impact on a websites security whatsoeveran SSL/TLS can protect the websites data s it travels through the web. In lies my complaint. Google Chrome will mark ALL website connections, insecure, if they do not have an SSL. Regardless of whether they are collecting data or not. If the website does not have “https:” in its url, it(the connection) will be deemed insecure, and marked so on the browser. Even though there is absolutely nothing insecure about the actual website whatsoever (other than its insecure connection that has always been that way). Basically Google Chrome is lying tomisleadingyou with the truth (semantics).

Even if a non-SSL website IS collecting data of some kind, such as a newsletter signup form, or even payment details. There are 3rd party options that DO have SSL’s and secure that data independently. Which allows a non-SSL website to secure data without requiring them to install an SSL on their server. While this statement is somewhat true, third party form providers that use HTTPS will not protect the form as it is called to the http site. It will only protect the data as it travels.

For example:
On my website I have several forms on my contact page. I do not have an SSL, yet all of the information entered, goes through third party SSL encryption. The data is completely encrypted and secured before it everafter it leaves my website, because the third party I am using to collect the data already has an SSL. So even though my website and any data transferred is 100% secure (When the website is loaded on HTTP it is not 100% secure)… Chrome will say otherwise because I do not have an SSL installed locally on my server. Its an outright lietrue (and ALWAYS HAS BEEN) and it may hurt my business if I do not give in and install an SSL that I absolutely do not need (necessity is debatable). 

So here is the truth. 
Come July, if you see a website marked insecure on Google Chrome, that does not mean the website is actually insecure. It only means that it does not use SSL Encryption technology to secure the connectionAnd if you are not entering information into that website, it means absolutely nothing at allEven if you are not entering information the website could be used to deceive you IF it has been intercepted by bad evil menHowever, You can view and browse the website without any much worry. Just because a website does not have an SSL, does not mean a website is not secure. Just because a website does not have an SSL, does not make that website any risk to you at allThere is some risk if a website does not have SSL/TLS, but there always has been. Furthermore… even if that website DOES have an SSL… the information gathered can STILL be used fraudulently.

Most of the biggest data breaches in the world, happened with websites that DID have an SSL. An SSL is nothing A little more than encryption. It can still be hacked, and it can still be used to collect data for fraudulent purposes.

RECAP
A website without an SSL, does not mean the website is insecure. It means the connection is insecure
A website with an SSL can still be insecure.
All an SSL does is encrypt data.
Anytime you enter your data into a website it is always at risk, regardless of an SSL.

In closing I will say this. It is safer to do business with a website that encrypts your data. But just because you do not see “https” in the url, does NOT mean they are not encrypting your data, But it could be after the factIf you are not entering any data in the first place, an SSL (“https”) has absolutely no impact on the websites security at all.Even if you are not entering any data, the website could still be used maliciously, however so could a website with SSL/TLS (https). So keep in mind come July. Just because you may see Chrome marking websites insecure, it does not mean they(the website itself) are. What has really bothered me most about all of this, is that I collect very little information. I use a contact form and a newsletter form, both of which utilize a third party SSL and secure all data entered, yet Chrome will say my site connection is insecure. It is misleadingThis is borderline defamation (Saved by Semantics), and it really upsets me. What’s worse is seeing companies like Godaddy trying to scare businesses into buying SSL’s with them. Warning them that Google is going to punish them if they don’t. Its shady business and I hate to see it.

Well that is it for tonight. Keep in mind what I mentioned in this blog, and don’t be afraid of Googles little fear tactic. There is no website that is 100% secure, so always be careful with your sensitive information. 


UPDATE

I had a short conversation with representatives of Godaddy. They pretty much confirmed, that Google will be misleading its users by labeling a website connection “not secure” based on one area of security alone. An area of security that not every website even needs. This labe of “Not Secure” does not reflect a websites files, applications, or “secure” access. The label will be misleading at best. This is bad business Google. Shame on you! Google is #FAKE Semantically misleading NEWS

godaddy
Please Follow and Share!