Over the Christmas week we noticed that Google have begun sending out notices through the Google Search Console to websites that have login and password fields on pages that are not over HTTPS. The notification says non-secure Collection of Passwords trigger warnings in Chrome 56.
Chrome 56 in January will issue a security warning for web pages that have these login fields without serving them on a page that is over HTTPS. The message reads:
Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as “Not Secure” unless the pages are served over HTTPS.
The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.
Here is a copy of the full notification:
Google went into more detail on the upcoming change in a post on Google+, where they explained how the system will treat URLs from systems that have not upgraded.
“From the end of January with Chrome 56, Chrome will mark HTTP sites that collect passwords or credit cards as non-secure,” the company explained. Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it’s critical to use HTTPS. Without HTTPS, bad actors can steal this confidential data. #NoHacked”
Why is HTTPS important?
Using HTTPS encrypts connections to prevent anyone from entering the communication between your website and your visitor’s browsers. It also prevents the bad actors from abusing your site by inserting malicious code or unwanted advertising into your user’s browser.
The https connection lets your visitors know that they’re securely connected to your site and what they’re seeing is legitimate.
How does it benefit me?
The threat of reduced traffic to their sites is often enough to spur business’ to act. Though there is a cost associated with switching to an HTTPS server, it’s worth it in the long run to help build trust with website visitors.
The plan currently only applies to the Google Chrome browser and since the Chrome browser currently has a significant market share, we’d advise you make the switch sooner rather than later.