I was reading this article from theverge.com about Google’s Chrome development team wanting to make another change to its beloved browser. So, Chrome started planning around January 2017 to clearly mark websites not using an encrypted HTTPS connection (according to theverge.com). At this point this isn't news and most of the tech world was split on the issue but for the most part did agree users should clearly see when the connection is safe or not. However, should websites not collecting any information be almost shamed? Recently, theverge.com wrote an article stating the now well known, "secure indicator" is being removed around September 2018. Basically, Google says, “users should expect that the web is safe by default.” which again I doubt anyone isn't arguing.
Things like this I feel are great ideas, but it can be seen as overkill from a technical delivery point-of-view. Some websites aren't exchanging private information which could make it unnecessary or even a waste of money for some developers. Securing a website connection usually requires a CA (certificate authority) which issue digital certificates to organizations or individuals after verifying their identity by showing they have control over the website. Once the certificate is issued, the developer adds it to the server side. These certificates can usually cost anywhere from $75 to around $350 for each domain name PER YEAR!!!
There are free SSL options which do level the playing field for companies or individuals only wanting to display content. Examples like letsencrypt.org and comodo.com offer free SSL certificates which can be renewed every 90 days. This does for the most part solve the problem for everyone but again we’re talking about the need for it. These free options have been around for about awhile now and according to Let’s Encrypt the want for SSL has grown (https://letsencrypt.org/stats). You can even see around January 2017 it really jumped due to all this news.
The question is, does adding this extra technical step actually help or make us any safer for websites that don’t require the user to enter anything? Websites like hp.com or dell.com are used a lot for downloading drivers and/or software for their products. They do sell on their websites too but should anything that doesn’t require you to give any information really be encrypted?? What about websites for games? There’s addictinggames.com, newgrounds.com (who does encrypt), and even pogo.com that don’t require users to sign up or even login at all!! You do have the option on all these examples to create an account if you want to keep track of your scores or history, but it’s not required to use their services.
One might ask, “Why not encrypt regardless, since it doesn’t change the front-end experience, and gives the user piece of mind?” This reason would be efficiency, compliance, and costs. Even though there are free SSL certificates, there are some domain owners who can’t encrypt since a lot of website are forwarding with masking. Website domain names that forward basically just go to another website. This is very common. The difference is if a website is forwarding then masking. Basically, a website that is covering up another website. The one I’ve used and currently used our shorturl.com and 2ya.com which lets you reserve a subdomain (example sub.domain.com) and regular domain (example domain.com). These types of services came out around the “geocities” days. Now with the domain JeremyDaniele.com, I use Let’s Encrypt SSL, but some might see that as not as secure mostly because its free. On my web hosting website, I’m using GoDaddy SSL which is paid for. I do plan on taking payments in the near future, so I found that important but for pages like this one that you’re on right now the only information that being transferred is the very text you’re reading. Look at it like this. Let's say you went into an electronic store and you’re speaking to a sales person about something you want to buy. The store would be the internet connection and the sales person would be the website you’re interacting with. Now the conversation you’re having with the sales can be seen as not encrypted because anyone can walk by and hear. Now let’s say you’re at a bank and you want to take out a loan. You walk in and say you want to talk about a home loan. You’re then brought into another area where no one can see and for the most part can’t hear you. You will even start to give the bank person your very private financial information. This can be seen an encrypted. Why should a retail electronic store create secured environments just to show you something they want to sell or demonstrate?
No matter how we discuss this topic it’s still going to happen. So, how do you prepare for this change? As a user you don’t have to do anything. This change is just going to happen. Just be aware of the changes and how to use the browser you like to use. As a developer you should decide quickly where you stand and what type of encryption you will be using for your visitors. Do all your visitors care? Well I guess it would depend on the browser they’re using and the information you will be exchanging with them.
According to w3schools.com (https://www.w3schools.com/browsers), ever since April 2011 Chrome started to become the preferred choice between the famous IE versus Chrome. On w3schools.com it does mention Firefox being the leader at the time but most of the users for that website are “techies” so I looked up the Digital Analytics Program (DAP) and found they recorded the majority of users accessing their website in the year 2015 to be Chrome and quickly rising. Now whoever control the most used browser basically “runs the show” with this topic.