Wired online, unpacks some security announcements from Google and summarizes the effects of projected changes in this article:
Google will start warning that plain HTTP Sites are insecure
“Google has announced that its web browser “Chrome” will soon take a more aggressive stance on web encryption, marking any site as insecure if it doesn’t use HTTPS.” Wired.com
Sites that ask for login credentials and credit card info will be the first that Chrome will warn users for… This will commence in January 2017.
Still, this seems to some like a continuation of patching inherently un-secure TCP/IP traffic. This commenter elaborates:
“Https was a bandaid solution, that still has some glaring flaws. For example, most “secure” connections still route the dns traffic without any encryption or validation at all.”
Managing security certificates is notoriously difficult (especially for untrained professionals) and can be relatively expensive. Self-hosted sites with minimal administrative support will be forced to spend more almost immediately. On Security Certificates, sure. But also on the engineering support needed to operate the certificates.
How this will shake out with shared hosting is yet to be determined in many cases. In others, the convention already exists. For instance, this site (InterWestIT.com) is operated on the WordPress.com platform (child company of Automattic.com) — which enforces HTTPS connections, period.
What’s the point? Mainly that traffic between the server and the client be encrypted from the first packets exchanged. This will prevent network observers any realistic hope of understanding the messages exchanged. It will not prevent them from knowing who and where the endpoints are.
Server-side and client-side hacks (malware) will remain effective for spying. As will NSA super keys that crack HTTPS anyway.