Google announced that it is stepping up its efforts against HTTP sites starting in October 2017. Google Chrome 62 in October 2017 will start marking, even more, sites as “Not secure” if they are running HTTP instead of HTTPS.
HTTP Changes in Google Chrome 62 for October 2017
Here is a view of the two major changes coming in Chrome 62.
The first is that HTTP pages with user input are going to be marked “Not secure” starting with Chrome 62 in October 2017. The second is that browsing in Chrome Incognito mode will mark all HTTP sites as not secure starting in October 2017.
What STH is doing to comply with the Google HTTPS push
At STH we transitioned our forums to HTTPS early, adopting Google SPDY for increased performance. That project gave way to HTTP/2 which the forums were upgraded to, just this week. The STH main site, which we do not allow general public logins for, was transitioned to HTTPS and HTTP/2 in Q3 2016.
HTTP/2 does not require HTTPS but for most practical purposes, it does since browsers generally are only supporting HTTP/2 with HTTPS. HTTPS and has significant performance improvements.
One of the major trends we will see from server manufacturers in 2017 and beyond is attention to dedicated cryptographic engines. For example, Intel QAT is an acceleration technology that can help offload high-traffic OpenSSL encryption generated by HTTPS.
Another major impact we expect from this change is that we are going to see many projects start to adopt HTTPS as their protocol of choice for management interfaces. That is no small feat as there are millions of embedded systems still using HTTP in the wild.
The bottom line is this, start the transition to HTTPS today if you have not already. It is still confounding that there are tech news sites that preach security yet do not implement HTTPS.
It needs to happen. You’re right that management web pages are going to get stuck with this. Here’s the bigger concern for me —- search boxes. So many sites have them as user input and are not HTTPS. They’re all going to get hit.
I’m shocked AnandTech and others don’t use HTTPS. You’d expect them to be on the leading edge of this trend as they cover security. Around for 20 years and still on HTTP. I like their reviews too.