You may have heard that changes are coming to Chrome in January. This simple change is the next step in Google’s strategy of what is called “secure by default” browsing. When sites that are served over HTTP (vs HTTPS) and these sites expose a password field, it will be flagged as insecure to the user.
The Chrome team has long term plans of showing insecure warnings on all HTTP sites in the future. In the past, many sites have always taken the “mostly HTTP except for logins and authenticated pages” approach. That has served the community well, but the winds are changing. In the future, we’ll see even public home pages being flagged.
As ecommerce and B2B developers, security has long been part of CQL's design criteria. Today, we are finding that many of our clients are now looking at other legacy websites and portals to ensure that customer, partner and employee security is maintained, as well.
For our more technical readers, there’s a post by Troy Hunt that discusses the matter and shows some images of what the browser will look like. He also shows you how you can turn on a flag in Chrome to mark HTTP sites as insecure now, which can help you be prepared.
Said another way – if you are a business or technical leader in your company, it’s a good idea to read up on the topic and turn on that flag now, while perusing some of your legacy systems.
This first milestone in January will only flag pages with password fields on HTTP as insecure, but the long term goal is to shame HTTP out of existence.
Certainly CQL has adopted the mentality of building a site over HTTPS by default, but we want all our clients, partners and friends to do the same. That’s the way the world is headed. Let’s be prepared.
(If you need some guidance, do not hesitate to ask us — we are glad to help.)