Google has decided to lead the way on web, as it often has. In this case, Google has announced that as of January 1, 2017, web pages that transmit credit cards or ask for passwords over HTTP (vs. HTTPS) will be marked with this flag in the address bar:
Some of will say that this is as it should be, and I will be the first to agree with you. Any web site that asks for your userid and password over an unsecure connection needs to be flogged appropriately. Likewise if a web site asks for credit card information in clear text, it is, at the very minimum, in violation of the merchant agreement that the company signed with its bank. It too needs to mend its ways.
My guess is that there are way too many sites that will get scooped up in this NOT SECURE net come January 1. It likely will be like the changeover to chip based credit cards. When last September came, people said “crap” – or some to that effect – they aren’t kidding; they really are going to leave this deadline in place and companies started doing what they should have been doing a year prior to that. However, they discovered that fixing this problem was harder than they thought. As a result, almost a year past this deadline, there are still hundreds of thousands of businesses that have not converted. I do predict that almost every single major site will have this handled well in advance. No doubt Google is already talking to major web properties privately.
In this case, people may think that Google will blink. While no one knows for sure, I would not bet on that outcome.
But this is not where it ends. It ends with, in Google’s view, the death of HTTP.
The next step is to label all pages that are loaded without encryption when the user is in incognito mode as NOT SECURE.
Finally, the last step is to label all pages loaded with HTTP as NOT SECURE. They have not provided a date for this, but it may well be during 2017.
Of course, this only affects users who use a Google browser on their computer or phone, but according to W3Schools, this is over 72% right now – and growing. Last August, that percentage was only 64% (see stats here).
Since most businesses do not want their customers to see that message when going to their web site, they will finally, reluctantly, migrate all traffic to HTTPS.
And to be clear, this does not mean optionally HTTPS; this means mandatory HTTPS.
The biggest challenge will be for companies that have hundreds or thousands of web sites. They will need to touch each one of them. They may need to order an SSL certificate for each one. It will require some work.
My recommendation is to start now and avoid the New Year’s Eve rush.
Information for this post came from Google’s security blog.