If your web site includes a form collecting credit card numbers or passwords, such as a payment form or user login, and is not using SSL (https and the little padlock) then please read on … this will affect your website.
With the release of Google Chrome 56 in January, Google Chrome now warns web site users if your site isn’t secure when collecting passwords.
Is this a good thing?
Yes, this is another very positive move from Google towards securing the web, and follows on from our previous article “Is SSL now a must for all web sites?“. However, it has implications for sites who still take credit card details on their site, or have a user login form, and are not using SSL.
Does this affect my web site?
Credit card numbers aren’t such an issue nowadays; most web site owners have moved to 3rd party online credit card gateways such as PayPal or Payment Express where the payment form is actually on the gateways site and secured by them. If you have a form collecting credit card details within your own site then this needs sorting – contact your web developer or contact us for advice.
Password forms are a different matter. There are many websites out there with a user login form that asks for passwords. This maybe for an account login on an ecommerce web site, a membership login or some other client access. If you have a form collecting a password and are not using SSL, then when the form is submitted you are sending that user’s password across the Internet in clear text, leaving it fair game for any hacker to intercept and abuse.
Google Chrome now detects any web page asking for a credit card number or password which is not secured by SSL and warns the user. Read more about this change to Chrome. This is totally fair enough but not a good look if it is your site!
Beyond this, you may also be using a Content Management System (CMS) on your site, where you can log in and manage the content of your site. How would you feel if a hacker intercepted your password and then hacked your web site? So while you may not be worried about the Chrome warning on your personal CMS login page, surely it is still worth protecting with SSL to guard against the hacking of your website?
What can I do about it?
The solution is really very simple.
If any page on your web site asks for a password, secure your site with SSL. This can be done by purchasing an SSL certificate through us or using a free CloudFlare account which includes SSL for your site.
If you have any questions please feel free to contact us.