December 8, 2016

HTTP websites in Chrome as "insecure" starting in January

Google will start reporting HTTP websites in Chrome as "insecure" starting in January 2017. Here are the details: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html


Short-term: beginning in January, Chrome 56 will identify HTTP web pages that collect passwords or credit card form information as "not secure" given their particularly sensitive nature and warn the user.

Long-term: eventually, Google plans to label all HTTP web pages as non-secure and change the HTTP security indicator to a red triangle. Additional browser products will likely be providing similar warnings (e.g., Firefox, Safari, IE, Edge, etc.)

The ITS Digital Certificate Service Team urges you to apply an SSL/TLS certificate to all websites:
  • If you are a web host administrator, you can obtain a free certificate by following the instructions on the following service page.
  • If you are a web host administrator or a website or content author, please review this FAQ for tips to help you ensure that all content is protected by the certificate (e.g., local content, mixed content, and multiple sites on a single web host).
  • Campus WCMS and Faculty WordPress administrators do not need to ask for a certificate for their individual websites. The ITS Web Services Team is working on making all Campus WCMS and Faculty WordPress websites HTTPS by default.
If you have questions, please contact its-certificate-group@ucsc.edu.