Beginning in October 2017, Chrome will begin labeling websites that have forms and use HTTP instead of the more secure HTTPS. HTTP is the connection that browsers use to view pages across the Internet, while HTTPS is a secure version of HTTP. Chrome currently displays a lock icon in the address bar for sites that are secure via HTTPS, but the security team will be taking it one step further by displaying a warning on unencrypted sites with forms. The label will appear as “Not secure”, notifying users that any data input into a form will be insecure.

Do Forms Normally Use HTTPS?

Historically, HTTPS was reserved for websites that handled more confidential data – e-commerce sites (credit cards), banking sites (financial and logins), and other sensitive information – to ensure the user-entered content was sent securely to the server. If a website’s form didn’t collect sensitive data, it was a widely accepted practice to use an HTTP connection. This update by Google is a larger attempt at securing the Internet, and this is the first big push in that direction.

What Do The Non-Secure Notices Look Like?

According to Google, these warnings will come as a highlight in the URL bar next to the site address (see below). The October update will also modify Incognito mode to show any site as “Not Secure” that doesn’t use HTTPS by default.

Chrome will notify users of insecure forms

While the notices are relatively modest from a security viewpoint, Google has indicated in several other areas that there is a larger goal of securing the Internet and informing users about security on the Internet. It’s believed that this HTTPS form update is one of the first big pushes in that direction.

It’s important to note that the notice will be shown on any page where a form resides. If a site has a search field or a newsletter signup on every page, this means that the entire site will show “Not secure” as a result, since a form shows on every page.

What Kind Of Forms Are Being Addressed?

Any type of form data would include the following:

  • Search fields
  • Login fields
  • Blog comment fields including name, website, email, comment
  • Contact forms and fields
  • Newsletter signup forms and fields
  • Whitepaper download forms and fields
  • Any form that a user would type something into your site and have the information transmitted to your server or any other server

If a website has any of the above, visitors will see a “Not secure” warning on the page with the form.

How Can HTTPS Be Added To My Site?

HTTPS is typically installed by the web hosting company. If your site is hosted by Red Clay Interactive, contact your account executive to discuss how HTTPS can be added to your site. If your site is not hosted with Red Clay Interactive, contact your hosting company to discuss adding an SSL to your site (fees may be charged by your hosting company and can range depending on the hosting company).

What Happens If I Do Nothing?

If you elect do nothing, visitors will see the above label on any page that has a form. It’s possible that the “Not secure” label may have a small impact on your site or it may have a substantial impact – ultimately, each company is unique and has different audiences. Google has indicated they want to secure the internet and experts believe that security notices will become more prominent over time. If one of your website’s primary objectives is lead generation, having a site without HTTPS may become a liability in the not too distant future.

Leave a Comment