You may have noticed recently, possibly when accessing something like a website login page, that a fairly prominent ‘Not Secure’ warning, or a little lock with an ominous red line through it, is now appearing in the browser's (Chrome and Firefox currently, I’m sure the others will soon follow) address bar. Or possibly one of your website viewers may have emailed you asking why this is appearing on your website. Here's is a quick explainer.
The internet, in it’s default state is unsecured, meaning that the communication between your computer and the internet is transferred in plain text (i.e unencrypted). This makes the channel that transfers the data relatively easy to tap into, and listen to, if one was so inclined. This was regarded as acceptable for websites that only presented information about a topic to a user and no sensitive data was transferred. As the internet developed, particularly with the advent of online payment, there became a need to secure this channel to allow data to be transferred that wasn’t susceptible to this intrusion.
The industry solution was to allow website owners purchase and install SSL (Secure Socket Layer) Certificates to secure the data transfer between a computer and the internet. This allowed us to send personal information, credit card info and other info safe in the knowledge it was secured in transit and only went to its intended recipient. The indication of a secure website has evolved slightly over the years, differing from browser to browser, but generally is identified by https:// at the start if the web address and the presence of a lock in the address bar, sometimes green sometimes not.
With an SSL cert installed on a website allowed the browsers inform the user that a web page was secure, otherwise, it was to be assumed it was not secure, but this was not communicated explicitly to the user. The browser did inform the user if the website tried to use SSL but there was an issue with the security setup and this message became more and more alarming over time which was a logical step to try and stop users accessing compromised sites impersonating legitimate websites. Even with these measures in place, these sites are still duping unsuspecting users daily in submitted data to websites they really should not.
With this difference in secure and non secure websites exploiting this knowledge gap, there has been a shift by the big players in the internet project to move towards a situation whereby most, if not all, websites integrate SSL certificates, not just websites that process sensitive data. Evidence of this can be seen in the likes of Paypal, removing their support of non SSL requests to their service, Google building in the use of SSL in to their ranking algorithm and now this latest update of the main stream web browsers to mark some non-SSL webpages as Not Secure.
This small tweak in the browser interface will spark many queries from user to website owners and in turn from website owners to developers. The solution that will be offered to website owners by the developer will be the purchase and install of an SSL certificate to remove this warning. As a result a large number of websites will move to secure status taking another large step towards a more secure internet.