If you hadn’t already, it’s time to make “HTTPS by default” your new motto.
[…] within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
Source: Chromium Blog: A secure web is here to stay
Visually, every site on HTTP will be marked as “not secure” next to the address bar.
This essentially means:
- Your site will need HTTPS (x509 certificates needed)
- You’ll want to make sure you monitor for mixed content (HTTP resources on a HTTPS site)
- You’ll need to be aware of certificate expirations & renewals
A few years ago I wrote about “the real cost of ‘S’ in HTTPS", about how you only need a single error in your HTTPS setup or content to make your site unusable for visitors. HTTPS is a “it either works 100% or it doesn’t at all” type of configuration.
Luckily – _and largely inspired by that blogpost and the general adoption of HTTPS – _there are tools like Oh Dear! that help monitor your SSL/TLS certificates, scan for mixed content & report general errors of your HTTPS stack.