What is Chrome 68?

On May 29, 2018, the internet giant Google released a new version of their Chrome browser called Chrome 68. According to their Chromium blog, the browser will be available from the start of July, replacing the previous version.

Among the changes that will be found in the new browser is a focus on website security, whereby all HTTP webpages will be marked as “not secure”. An HTTP page is a webpage that does not have a valid SSL cer­tifi­cate, therefore implying that the page is not end-to-end encrypted and may have lower security levels. Adding an SSL cer­tifi­cate to your website au­then­ti­cates it by en­crypt­ing all in­for­ma­tion exchanged between a user and the site, pro­tect­ing it from theft and misuse. Chrome is now the first major browser to ex­plic­it­ly mark websites without HTTPS as unsafe. Previous versions had only warned of missing SSL cer­tifi­cates on login pages or when entering banking/sensitive data.

Google have long been trying to present them­selves as advocates for Internet security. Chrome 56, released in January 2017, began applying warnings to websites that process sensitive data through an un­en­crypt­ed con­nec­tion. The new layer of pro­tec­tion afforded by Chrome 68 means that users will be informed on the topic of security and will have more pro­tec­tion from phishing methods and “man-in-the-browser” attacks.

Google are also looking out for them­selves with this action. It is in their interests that users continue to feel safe and secure using the internet for trans­ac­tions and browsing. Users need to keep spending more and more time online for the company’s growth to keep expanding. A large-scale campaign against thousands of insecure SSL cer­tifi­cates from Symantec has proven that Google are serious on the topic.

If you run a website secured with HTTPS, then nothing will change for you. However, if your website is not secured with an SSL cer­tifi­cate, or if some pages are but others aren’t, visitors will receive an “insecure con­nec­tion” warning message when trying to access the affected pages on a Chrome 68 browser. While it might not be every page on your site, having any of your pages produce this warning sign will be an immediate red flag for most users. This will have a definite negative impact on website traffic which is a huge problem, par­tic­u­lar­ly if you are running an e-commerce site. Sometimes websites will have their login or payment page secured with HTTPS but the rest of the website left without and that is no longer suf­fi­cient. In a November 2014 survey, the cer­ti­fi­ca­tion authority authority Glob­al­sign found that 85 percent of online shoppers feel deterred by un­en­crypt­ed websites. Thanks to this action from Google 68, all webpages will need to be secured with an SSL cer­tifi­cate to ensure a smoother, safer visitor ex­pe­ri­ence.

However, it is still def­i­nite­ly worth it to provide a cer­tifi­cate for all webpages even if your website is not an e-commerce site. As well as affecting visitor traffic to your website, having unsecure pages in your website affects your SEO ranking. As part of Google’s actions to encourage HTTPS security, their al­go­rithms actively promote HTTPS webpages in their search rank results, and lower those without the ap­pro­pri­ate SSL cer­tifi­cate.

The smoother the user ex­pe­ri­ence, and the greater the level of trust from your visitors, the more your website will flourish. Website security is the key to this, and HTTP has been an outdated standard for years. In fact, its original function was not security based at all. Adding an SSL cer­tifi­cate to make your page secure means that you are adding a layer of en­cryp­tion and page au­then­tic­i­ty which will in turn protect your users’ data. This security layer also affords you pro­tec­tion as a site runner from invasions from third parties, including Wi-Fi hotspots or other unsecure con­nec­tions. These external parties may slip extra ad­ver­tise­ments into your website that will dras­ti­cal­ly slow it down, creating a negative ex­pe­ri­ence for the visitor and po­ten­tial­ly putting them at risk from harmful content. If you can guarantee a safe, authentic web ex­pe­ri­ence for visitors, this will result in more trans­ac­tions being carried through in their entirety, reduce bounce rates and gain a good rep­u­ta­tion for your site.

There are also in­creas­ing­ly more web tech­nolo­gies and browser features/plugins that ne­ces­si­tate HTTPS to function. Con­tin­u­ing to run an HTTP website means that you are excluding your site from the latest features and updates.

In May 2018, Google announced the removal of the green padlock icon, which currently appears on HTTPS pages as a security indicator. Google believes that users should think of the internet as “safe by default”. For HTTP sites however, the red “not secure” alert will remain, making the pages even more rec­og­niz­able. As stated on the Google Chromium Blog, this change should be rolled out in September 2018 with the release of Chrome 69.

All you need to do to ensure your websites security (and that you won’t be condemned by Chrome 68) is to purchase an SSL (Secure Sockets Layer) protocol cer­tifi­cate or a TLS (Transport Layer Security) protocol cer­tifi­cate. There is no hardware re­quire­ment to do this. If your website already has cer­tifi­cates for some pages but not others, make sure you have every page of your website covered. You should also double check that any third party services you may employ (ad­ver­tis­ing, analytics services, etc.) are also com­pat­i­ble with HTTPS to avoid any issues. Thanks to the in­creas­ing so­phis­ti­ca­tion of modern hacking methods, there is no jus­ti­fi­ca­tion for pri­or­i­tiz­ing certain webpages over others. In addition to a good Google SEO ranking and ac­cel­er­at­ed per­for­mance with HTTP/2, user con­fi­dence is the number one benefit from this tran­si­tion.

Google Chrome now only support HTTPS con­nec­tions. However, some websites are still marked with a warning message despite their HTTPS cer­ti­fi­ca­tion – websites that use outdated cer­tifi­cates issued by Symantec. According to Google, Symantec has re­peat­ed­ly issued incorrect cer­tifi­cates to thousands of domains, proving itself to be unsafe and un­re­li­able on a number of occasions.

Google responded to these dis­crep­an­cies by gradually dis­trust­ing Symantec issued cer­tifi­cates, con­clud­ing with Chrome 66. Since April 17^th, 2018, websites that have TLS cer­tifi­cates that were issued by Symantec before June 6^th, 2016, have been marked with a warning message stating that data on the website could be in­ter­cept­ed by third parties. Chrome 68 now displays a clear “Not Safe” warning. When the scheduled update from Chrome 68 to Chrome 70 takes place on October 23^rd, 2018, this warning will become even more obvious for all Symantec cer­tifi­cates issued before December 1^st, 2017. The “Not Secure” note will be displayed in red and high­light­ed as soon as users try to enter their data on an insecure website.

The number of domains that will be affected by this change was dis­cov­ered by an Airbnb security tech­ni­cian working on their own ini­tia­tive. 11,510 domains, or almost 10% of the most visited websites according to an Alexa ranking, will be marked as unsafe. The reason this number is so high is that Chrome 70 not only distrusts outdated cer­tifi­cates issued directly by Symantec, they will also blacklist cer­tifi­cates whose trust chain is based on their cer­tifcates (including GeoTrust, RapidSSL and Thawte). All Symantec cer­tifi­cate users are therefore advised to check the date of issue and get their cer­tifi­cate replaced free of charge if necessary.