For as far back as I can remember, browsers have always denoted HTTPS pages with a padlock icon, a tiny warning to let you know that anything you submit on the specific page will be securely encrypted. As with all never-changing warnings though, I imagine you’ve stopped noticing it as much as you used to years ago, and that effect combined with HTTPS usage reaching over half of all web pages and the popularity of extensions like HTTPS Everywhere, has spurred some changes in how Firefox and Chrome approach this.
Launched this week, Firefox 51 and Chrome 56 have reversed that age-old warning. Login forms over HTTP now display a “Not Secure” warning. This new warning should be enough to catch the attention of those of us who have begun to ignore the time-honored padlock, but I imagine site owners might be caught a bit off guard.
If you own a site with a login form over HTTP, don’t worry (sort of), your login form isn’t suddenly not secure … it has never been secure. If you’re the only person who uses that login form, and you never use it over a public internet connection, you generally have nothing to worry about.
If other people are expected to log in to your site over HTTP, or you often log in over a public internet connection, it’s time to start moving your site over to HTTPS. You’ll need to acquire an SSL/TLS certificate from a certificate authority to being with, and in the past those have been ridiculously expensive, but all of that changed when Let’s Encrypt premiered, offering free SSL/TLS certificates for everyone. Today, you’ll most likely find that your hosting provider either offers free or incredibly inexpensive certificates, like all of WordPress’s recommended hosting providers do (as does my hosting provider, Pressable). If your hosting provider still wants to charge you a ridiculous rate for a certificate, you might as well take this opportunity to check out the rapidly growing list of hosting providers who offer free Let’s Encrypt certificates.
Once you have your certificate, setting it up is generally just a matter of consulting the documentation from your hosting provider (though this is typically automated if you acquire the certificate from them) and your website’s software. If you use WordPress, the process is very simple.
As site owners, let’s do what we can to proliferate HTTPS and thus provide a more safe and secure web for everyone.