Last week, the movement to encrypt the web achieved another milestone: Google’s Chrome browser made good on its promise to mark all HTTP sites “not secure.” EFF welcomes this move, and we are calling on other browsers to follow suit.
This is the latest in the web’s massive shift from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. HTTPS fixes most of these problems. That’s why EFF and others have been working to encourage websites to offer HTTPS by default.
Users should be able to expect HTTPS by default.
And browsers have been an important part of the equation to push secure browsing forward. Last year, Chrome and Firefox started showing users “Not secure” warnings when HTTP websites asked them to submit password or credit card information. And last October, Chrome expanded the warning to cover all input fields, as well as all pages viewed over HTTP in Incognito mode.
Chrome’s most recent move to show “not secure” warnings on all HTTP pages reflects an important, ongoing shift for user expectations: users should be able to expect HTTPS encryption—and the privacy and integrity it ensures—by default. Looking ahead, Chrome plans to remove the “Secure” indicator next to HTTPS sites, indicating that encrypted HTTPS connections are increasingly the norm (even on sites that don’t accept user input).
For website owners and administrators, these changes come at a time when offering HTTPS is easier and cheaper than ever thanks to certificate authorities like Let’s Encrypt. Certificate Authorities (CAs) issue signed, digital certificates to website owners that help web users and their browsers independently verify the association between a particular HTTPS site and a cryptographic key. Let's Encrypt stands out because it offers these certificates for free and in a manner that facilitates automation. And, with EFF’s Certbot and other Let’s Encrypt client applications, certificates are easier than ever for web masters and website administrators to get.
What Website Owners and Users Can Do
If you’re a website owner or administrator new to getting your own HTTPS certificate, check out these resources for moving your site from “not secure” to secure.
If you're a user, you can take steps to protect your browsing. Download HTTPS Everywhere to make sure your browser uses an encrypted HTTPS connection where ever possible.