For a few years now, modern browsers like Chrome, Firefox and Edge
have been warning as “insecure”, web sites that are served as plain
text over HTTP (port 80).
- Google blog article – https://blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/
Informatics are working through making all our managed websites
available over encrypted HTTPS (port 443). If you run your own website that
is only accessible over HTTP, then you probably want to be thinking
about making it accessible via HTTPS.
At some point web browsers are likely to drive home the point more
forcefully that users are visiting an HTTP only site, and
may even stop supporting HTTP only sites.
If you’ve already configured your own web server, then adding HTTPS is
relatively straightforward, the trickier part being obtaining a
suitable HTTPS SSL certificate for your site.
You will probably have the option to generate a “self-signed”
certificate, which will at least encrypt the web traffic between your
site and the browser, but will lead the web browser flagging a
different warning about a site using a self-signed certificate.
To obtain a trusted SSL certificate, you could use something like Let’s Encrypt
(https://letsencrypt.org/), or perhaps purchase one from your ISP, or a
separate commercial SSL provider.