In just a couple of months, Google Chrome will start to point out the fact that your website is Not Secure if you do not have an SSL (TLS) certificate on your website.
This means that when a visitor arrives at your site they will see the word Not Secure in the address bar next to your website. This can lead to some visitors leaving straight away.
SSL (now TLS) certificates are absolutely essential for websites that request personal data of any sort. If you log in to a site, it must be done over a secure connection or else anyone can obtain your username and password and even just take over your session without your username and password; so for many years it has been recognised that logins and personal data collection should be done over a secure connection; but if you are just browsing a website that is not asking you to submit anything, then is it really necessary to use an expensive certificate to secure the connection. We do not believe so. We do not feel that everyone should be forced to do something that has little benefit to anyone. Granted the old reasons for not using SSL certificates on every site are mostly gone, such as bandwidth constraints and the affects o speed. These have been overcome with modern technology. The cost is still a factor and is becoming less but for some it is an issue, both in the cost of the certificate and the time to install it, and then the need to remember to renew it in time before it runs out and causes even worse problems.
Google unfortunately holds the monopoly on browsers now, taking over from Internet Explorer some time ago and so if they make a change like this then it affects the whole community, the whole internet. Other browsers will need to follow suit in order to not lose their users in the belief that they are somehow less secure by not informing the user of the problems with the site. The changes take place in the July release of Google Chrome and it is also believed that in a future release they will start to shame sites that do not conform by blocking access with a block wall that states the site is not secure, much like the one they sue now when a site certificate is expired or has an issue, some issues it will not let you get to the site at all. This really stinks of Big Brother to me as I often go to one of our internal sites, of which we have many, and if the cert if not valid for some reason then I cannot go there using Chrome already and I have to switch to another browser instead. Soon we will not be able to get there using any browser and the company will be forced to spend a lot of money putting certificates on sites that, even though the certificate is doing its job, it is not up to Google standards for one valid reason or another. I personally would prefer all that money to go towards staff or improving customers experience or pricing rather than needlessly putting certificates in places that don’t need to meet Google’s standard. There are good reason for this, such as self-signed certificates for internal use severs. They do the same job as any paid certificate but are free but they will not be recognised by any web browser because they are not from an issuing authority.
To be clear we absolutely agree that all sites that need a certificate should have a certificate but we also believe in freedom to run our business our way and for people to choose if they visit us or not. I have no problem with then pointing out if a certificate has expired or is not valid for any reason, but let me make the choice to go there or not. Education is the key not control by Google. We applaud Google’s commitment to securing the Internet and make it a safer place but sometimes they move too quickly on things that don’t need to and they control too much.
There are movements to make securing your website easier and free but they are not yet easy to install and they take money out of too many pockets and so meet resistance because of that also.
Remember, if you are putting your personal data in to a website, signing up or logging in then it need to be secure.