If you hadn’t already, it’s time to make “HTTPS by default” your new motto.
[…] within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
Visually, every site on HTTP will be marked as “not secure” next to the address bar.
This essentially means:
- Your site will need HTTPS (x509 certificates needed)
- You’ll want to make sure you monitor for mixed content (HTTP resources on a HTTPS site)
- You’ll need to be aware of certificate expirations & renewals
A few years ago I wrote about “the real cost of ’S’ in HTTPS”, about how you only need a single error in your HTTPS setup or content to make your site unusable for visitors. HTTPS is a “it either works 100% or it doesn’t at all” type of configuration.
Luckily – _and largely inspired by that blogpost and the general adoption of HTTPS – _there are tools like Oh Dear! that help monitor your SSL/TLS certificates, scan for mixed content & report general errors of your HTTPS stack.