So on February 8, 2018, in a very militant move Google announced that “Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure””.
Great, so that mom and pop recipe site, or your restaurant’s menu online, or thesaurus.com, or the local youth sports page and more. These small, websites that we use for a variety of reasons, which do not collect money in any form much less credit cards are all going to say “NOT SECURE” when we visit them.
Chrome’s new treatment of HTTP pages.
FireFox & current Chrome does this too, but not in your face like Google intends to do.
Don’t get me wrong, I am all about security, my problem is that people will be scared to visit these types of sites because “it’s not safe”. The language is all wrong…. “Not Secure” & “Connection Not Secure” are fully inaccurate, especially given the NON-Commerce venue of such websites. The correct terminology would be “Connection not encrypted“.
The logic is like this, Google has website pbs.org marked as a safe website via their own transparency report, but then at the finish line in the address bar they say it’s not secure. In fact for the purpose of the website and the purpose of the user’s visit, it is secure. It’s just not encrypted and has no reason to be.
So why don’t website owners just get an SSL? Seems reasonable enough huh?
Even though there are free SSL certificates, many cannot complete the process on their own and end up paying up to $150 (biggest price tag I’ve seen yet) to someone who can. That’s a yearly price kids! Even if the website owner has the ability to complete the forms and verification, likely they haven’t the knowledge, nor the access to actually install the certificate…. So they still have to pay like $15-$75 a year to have the SSL installed.
These don’t seem like big expenses, but what about site’s like my dad’s Masonic Lodge, this veterans help group Ranger Farms or this Youth Football website? These non-profit, community not for profit and club type pages don’t have the money. If you go to Google and search you will see thousands and thousands of pages without SSL. So very many of them do not need SSL for any reason. This whole thing makes me wonder if Google bought a certificate authority recently or something =P
The correct terminology is “Connection not encrypted“, in fact Google saying someone’s website is secure with one side of their face and then not with the other is ridiculous for such a huge, influential company. I think website owners should sue the browser companies for misrepresenting their interests!
PS: I borrowed the bully image from http://www.pbs.org/, seemed appropriate for this situation.