Upcoming changes in Google Chrome will have a major impact on the internet.
Google Chrome 56, due out at the end of January, will include a couple of major changes that are bound to shake up the internet. The first, most disruptive change will involve labeling unencrypted websites as “Not Secure.” The other update marks the final deprecation of SHA-1.
Both will have major ramifications. Let’s take a look at each.
Non-HTTPS sites Will be Labeled “Not Secure”
In Chrome 55, Google changed the security indicator for an encrypted connection to “Secure.” That’s right, the address bar now says “Secure” in green next to a padlock icon and the URL when you’re on a site with SSL.
That was the first stage. In Chrome 56, Google will change its negative security indicators to say “Not Secure” anytime you visit a non-HTTPS site. Here’s what it will look like:
As you can probably imagine, this is going to be an issue for a lot of website owners. According to Symantec, as of last year, just 3-5% of all websites were encrypted. That means that with the arrival of Google Chrome 56, upwards of 95% of the internet could see that Google is labeling their website as “Not Secure.”
In a day and age where the internet-using public is hyper-vigilant about threats to its privacy and safety, a “Not Secure” visual indicator is going to absolutely crater traffic for a lot of sites. It’s also going to affect a lot of business’ bottom lines.
The end result is that SSL certificates are going to become a requirement for most websites. Frankly, it’s going to change the entire SSL industry, as more web hosts become interested in offering encryption solutions, more customers enter the marketplace and more people learn about the product.
The End of SHA-1 Encryption
If you’re not in IT or tasked with handling your company or organization’s security implementations, then you likely haven’t followed the fact that the internet has been deprecating SHA-1 encryption while we migrate to SHA-2.
SHA-1 and SHA-2 are hashing algorithms, they’re used to achieve a number of functions and are extremely important in the context of SSL. Since the beginning of 2016 issuing certificates with SHA-1 encryption was pretty much banned. Now in 2017, with the release of Chrome 56, support for SHA-1 encryption will be pulled.
Basically, if you want to buy an SSL Certificate from now on, you need to use SHA-2 encryption. SHA-1 certificates will now be greeted with a full page warning. The other browsers, Mozilla Firefox, Apple Safari and Microsoft Edge, have all announced plans to follow suit. SHA-1 is officially dead as of the release of Chrome 56.
If your website still uses an SHA-1 certificate, you have several options. If there’s still time left on it, more than three months – you can usually re-issue the certificate, this time selecting the SHA-2 option, and then re-install it on your server. This will instantly solve your problems. If you have three months or less, you can renew and select SHA-2 encryption. This lets you carry over any remaining time and maintain browser support. Or, if those two fail, you might just have to purchase a new one.
Either way, come the release of Google Chrome 56, SHA-1 encryption will no longer cut it.
As you can see, the release of Chrome 56 means big changes for SSL and the internet, it also represents a big step forward for internet security. Encryption is a good thing, nobody should be able to eavesdrop on a connection. Making SSL a requirement will go a long way towards protecting people’s privacy.
But these changes alone are only a piece of a much larger puzzle. Google’s new “Secure” indicator could end up doing more harm than good as it lulls people into a false sense of security and access to free DV SSL will make it even easier for cybercriminals to phish us.
The next battle will be about authentication, the ability to verify your online identity. But for now, it’s enough to be happy that encryption – and by extension, a safer internet is coming.