The Chrome browser has started showing that a site being over SSL and HTTPS more visible to users in its recent versions. Instead of showing just a green padlock, Google has added the word secure to that area.
The bar now looks like this:
For non-secure, regular sites, there will continue to be an icon that shows the user they can get more info about that site.
If users click on that site, they see this text:
This small change is just the beginning. At the end of January, Google and Chrome will start listing sites served over non-secure HTTP will be marked specifically as non-secure. WordFence shows in this image how Chrome will show all sites that aren’t served securely:
WordFence released a good blog post on these changes here.
This is a good thing, as serving of SSL and HTTPS not only is better protection for your data, you can, if you want, get some serving speed increases via HTTP/2.
On the downside, it may drive your campus or freelance clients to ask why their sites aren’t showing up as secure.
It will also drive users to think that something is wrong with their site or their information has been compromised. We will need to communicate to those users as well.
It will be a good opportunity for us as web developers to have a conversation about basic security and why technologies like SSL are important.
Luckily, installing SSL certificates is much easier now thanks to groups like Let’s Encrypt. They’ve taken the headache out of issuing and maintaining SSL certificates. The majority of the sites I host and support serve certificates from Let’s Encrypt, including this site.
With the pain removed, for the most part, there are fewer and fewer excuses not to serve your site over HTTPS/SSL.
The challenge here remains that not enough shared web hosting providers are offering easy and affordable SSL. Kudos to Dreamhost for being one of the largest hosts to offer free, no-configure SSL to their hosting clients. Let’s hope more and more companies join in.
I’m writing a longer post about this, but on the side, I have a web development and support company. We do hosting for many sites, and have we are making (at least) free SSL the default for all the sites we begin hosting in 2017. We’re also retrofitting all the sites we’ve previously launched. It’s just a click of the mouse for us, so there’s no excuse not to. Add in automatic renewal of the certificates, and it’s dead easy for developers and host companies to support.
If you’re a higher ed blogger, agency, freelancer, small business or non-profit, and want inexpensive web hosting with security like free Let’s Encrypt certificates included, contact me. I can help.