In February I wrote about some then-new security warnings implemented by Google Chrome for sites that collected passwords or credit card numbers without having a security certificate. Many sites were affected by that change. Many more are about to be.
In April Google announced that these same warnings would show up on non-secure web pages that include any text input field, regardless of what it is used for. It’s now October, when Chrome is scheduled to begin implementing these warnings for non-secure sites, and many of our clients are starting to receive emails warning them that their site will be affected.
The non-secure site warnings will appear when visitors to your site who use the Chrome browser begin to type into any input field. And yes, that does mean that if your site offers search — even if it collects no other information — it will indeed generate the non-secure warning. Sites with registration forms, surveys, and many other types of data-collecting forms will also produce the warnings, as (of course) will sites that actually do collect sensitive information like passwords, personal information, or credit card details.
The one and only way* to prevent your site from generating these warnings is for it to be served securely using the HTTPS protocol. You can recognize sites that are served securely because the URL will look like this:
A secure HTTPS site is one with an valid SSL certificate from a valid certificate authority, installed and set up correctly. Security certificates provide two layers of protection.
First, the certificate validates the identity of the site. In the example I just gave, it would give you certainty that you are actually accessing the hopstudios.com website, and not a site pretending to be hopstudios.com; creating imposter sites is a common tactic used in those phishing emails claiming to be from financial institutions.
Second, the SSL certificate is a code / tool that ensures the data exchanged between your computer and the server is encrypted during transfer, when it is most vulnerable to interception or even modification.
SSL certificates typically run from $150 to $300 per year, depending on your site’s needs and size. Once purchased, it will take a Web developer a couple hours to set up the certificate for use on the site and test it. From that point on, you simply need to renew your certificate annually and relax knowing that your site is following solid web standards and that non-secure Chrome warnings won’t alarm your visitors.
* Technically you could also “solve” this issue by removing all input fields from all pages of your site. Unless you’re willing to give up functionality that you and your visitors rely on, this can’t really be considered a viable way to prevent non-secure site warnings.