Changes to browser HTTPS warnings in Firefox and Chrome

In case you haven't been following, Firefox 51 and Chrome 56 are rolling out and they now include a significant change in how they treat non-HTTPS sites. In the newer versions, when you you pull up a page that has a form that includes password or credit card fields, you will get a warning if you are not connected to the website over a secure connection (HTTPS).

Here is how an HTTP page in in firefox looks without the form:

Here is what happens when you try to pull up a form:

Now with Chrome here is the normal ! icon on an HTTP page:

But here is what happens when you try to pull up the login page:

Consequences

This change in the way browsers flag non-HTTPS sites is more than a simple visual change. It's actually a real paradigm shift, a shift that implies the de-facto connection standard is now becoming HTTPS and using a non-encrypted HTTP connection is no longer the way to go.

It used to be acceptable to have your webpage load over HTTP, and only make sure to submit the form using HTTPS. However, this has always been a risk since an attacker could intercept the plain text page and change the form before submission. Now going forward, if you use this approach your users will be warned as if the entire transaction is insecure.

The changes won't stop there. Future versions of Firefox and Chrome claim to eventually include the the warning next to all HTTP websites, no matter which features your website will provide.

How to be prepared

If you haven't switched to HTTPS yet, now it's a good time to consider it. 2016 introduced a lot of interesting new opportunities and changes in the SSL/TLS eco-system, and obtaining an SSL certificate is now very easy and not that expensive.

Actually, thanks to some Certificate Authorities like Let's Encrypt, in some cases you can even get an SSL certificate for free. In November, we announced our direct integration with Let's Encrypt, that allows you to get free SSL certificates for your domains signed by Let's Encrypt. Even better, the process is completely automated, and we will take care of the validation and renewal for you!

If for some reason Let's Encrypt doesn't work for you, we also provide affordable wildcard and single-name SSL certificates signed by Comodo.

All of these SSL certificates come with our standard set of features, such as an easy request process, and an easy-to-use SSL installation wizard. Our brand new domain-management API also provides the ability to download and access the SSL certificates in your DNSimple account.

What else?

In 2016 we assisted to one of the largest increases of SSL certificates issued. However, at this point it's unquestionable that the 2017 will be the year where the majority of websites still using HTTP will have to consider transitioning to HTTPS.

At DNSimple we will continue to support this transition, helping customers to have easy access to SSL certificates and advanced features. Two weeks ago we announced the support of the new Certification Authority Authorization (CAA) DNS record, to help site owners to have better control of SSL certificate issuance.

As usual, if you have any questions about SSL certificates, or feedback about new features, we'd like to hear from you!

May the encryption be with you!

Share on Twitter and Facebook

Amelia Aronsohn

Kaizen junkie, list enthusiast, automation obsessor, unrepentant otaku, constantly impressed by how amazing technology is.