No HTTPS? Now You Should Panic

Starting in January 2017, Google's Chrome browser will begin marking any page with a password or credit card field as insecure if the page is not on HTTPS. 



It's difficult to know just how problematic a change like this could be for website operators, but it will likely prove quite significant - particularly when it comes to converting users (as well as getting them to stay on site for any extended period of time).


Chrome has never explicitly labelled HTTP connections an non-secure, opting in the past for a more neutral indicator. Google fears, however, that its previous approach did not reflect the true lack of security. See the image below for an indication of how these notifications will appear to users. 


A substantial portion of web traffic has already transitioned to HTTPS so far according to Google, and HTTPS usage is consistently increasing. In fact, as it stands today, more than half of Chrome desktop page loads are now served over HTTPS. In addition, since the time Google released its first HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS. 


Google also reiterated their plan to eventually mark all non-HTTPS as not secure, even on HTTP pages viewed in Incognito mode, although they haven't yet given a timeline on when this will happen. If your website is not yet using HTTPS, now would be the time to get that process started.