In July, Google Chrome the most popular web browser will show http websites as not secure. The version of Chrome that will show this message is Chrome 68. The websites will work as normal, but there will be a message to the left of the address bar that says not secure.
The purpose of this message is to convince website owners to add an ssl certificate to their sites. It depends on to what extent that users pay attention to this message as to the affect on websites. If people leave websites marked “not secure” then it will incentivize website owners to get a secure certificate. If people ignore the warning, it will probably not have much of an effect.
In truth the “not secure” warning is a little dire. If you are just browsing a web site and not filling out forms with important information, it is not truly necessary. It could prevent some man in the middle attacks where someone intercepts and changes the communication between the web browser and the server. Sometimes this is done to inject ads or malware into a trusted website.
A Secure Socket Layer (SSL) certificate can cost more than hosting for a small website. There is a free SSL certificate available from https://letsencrypt.org/. If you are running a small website you will need to check if your host supports let’s encrypt certs. A ssl certificate is a recurring cost, they usually expire yearly, so keep that in mind. You may want to switch to a host that supports Let’s Encrypt certs.
Let’s Encrypt offers short period duration certificates. They only last 90 days. There is software that generates new certificates automatically that can be set up on the server. This allows the certs to be continually renewed. The traditional certs are renewed yearly and sometimes would fall through the cracks leading to errors about expired certificates.
If you are receiving sensitive information like credit cards on your website you may need to purchase an Organisationally Validated Certificate instead of using a let’s encrypt cert. Organisationally Validated certs used to be the only available type of certification. The certification authority provides some verification that the company/entity requesting the cert is the organization listed on the cert.
Google is using their dominant position as a search engine and web browser to force sites to move to https. It makes it slightly more complicated to host a web site, but it will make it more difficult to perform some types of cyber attacks.