Google's Chrome browser and Mozilla's Firefox browser will soon be flagging sites that aren't encrypted. This is a minor annoyance to me, a greater annoyance to Dave Winer, and from what I've read, confusion with others. So here's my take on it:
First, the basics, what is HTTPS (skip ahead if you know this) - much of the web's core systems were designed when the Internet was used by a small group of relatively trustworthy academic types. One of the side effects is that data is sent unencrypted. So when you go to a website and either see a kitten picture, or discuss your medical conditions, or do online banking, anyone on the network could see whatever you do and capture anything you type. So yes, anyone on your network can see that you're reading this blog.
HTTPS is an improvement to encrypt everything between your browser and the web server. Not only can others not see what you're typing or reading, they can't even see what pages you're visiting. This is important for a number of activities like online banking or buying stuff online, and great for things you want to keep private. There are those who want to keep everything private, and wish every site was HTTPS - but can't because many websites don't support it.
To support HTTPS with your website, you need to buy a certificate from a place like SSLs.com, set it up on your website, and start giving out URLs with https:// instead of http:// - this has gotten a lot cheaper in the past few years, and easier. But it is an expense, and something you need to keep updated on the server.
BTW, there are two types of SSL certificates. There are verified certificates, where they make sure that I am indeed the one and only GadgetDon, doing business as gadgetdon. These are more expensive, and you have to jump through a number of hoops to qualify for it. Apple Computer has done this, as has Google, so when you visit those sites you know it's the real thing. Unverified certificates say nothing about who owns the site and just encrypts. And that's plenty for the vast, vast majority of sites.
Until recently, unencrypted was the norm, encrypted sites using https were less common and marked with a "lock" in the URL address bar. And a generation of education about "before you enter sensitive data, look for the lock!"
Firefox and Chrome browsers are going to put up a symbol on unencrypted sites, in part to warn users when their data isn't being encrypted and in part to push more websites into using https.
(1) They aren't blocking unencrypted sites, they aren't putting up a big warning saying "WARNING! THIS SITE IS DANGEROUS" (like they do with sites with known malware), it's just a small icon.
(2) I'm not sold on the need of this. But I'm a pretty advanced user and once every few months I do encounter a website where I think "damn, this should be encrypted". So what's the tradeoff between warnings on the vast majority of unencrypted sites that really don't matter that they're unencrypted vs. the few that REALLY need warnings on them? Google and Chrome came down on "warn"
(3) If you're on the fence of whether to encrypt your site, I'd say "go for it". I'm not encrypting, but there are a few articles I didn't write because it could be sensitive. Side effect - if you are getting email from the same server, your email gets encrypted too, and some of that CAN be sensitive. And it's never been cheaper or easier to encrypt it.
(4) After all these years seeing how few people notice a "lock" icon or favicons - I doubt that many people will even notice the icon. Those who do, most will understand "oh it's just saying it's not encrypted" - and if it doesn't matter, won't care.
Posted on January 31, 2016, 4:30 pm
Last updated on January 31, 2016, 4:41 pm
This blog is powered by an experimental program called RSB for Really Simple Blog. RSB ©2015 by Donald Brown. Thanks to the people at Twitter for a really cool API and Dave Winer for inspiring me on this.