Do you use the Geolocation API in your web app? Then you need HTTPS, or it’s going to stop working later this year.
Starting with Chrome version 50, the geolocation API will no longer work for insecure origins. This means that unless you’ve set up HTTPS on your site, it won’t work anymore.
Why does geolocation need HTTPS?
In one word, privacy! Location data is particularly sensitive. Restricting geolocation to secure sites helps protect users from unauthorized access to their data. Quite a few sites are likely to break with this change, but Google engineers have expressed that they’d rather see a few (hundred? thousand?) angry emails than see geolocation privacy leaks.
— Joel Weinberger (@metromoxie) January 21, 2016
Seen against a larger backdrop, this fits with Google’s drive to secure the web, trying to promote HTTPS everywhere. Other cutting edge browser functionality, such as service workers, also require HTTPS, again for security reasons (man-in-the-middle attacks). This move specifically follows from the drive by the Chromium security team to deprecate powerful features on insecure origins. You can see this policy reflected in new features such as service workers, but, as the policy document mentions, it will be retro-applied to legacy features, such as geolocation as we see is forthcoming, as well as getUserMedia() and device orientation.
In another recent post on the blink-dev forum, it was announced that Google’s new compression algorithm (Brotli) would also only be available on secure connections. While the geolocation restriction to HTTPS seems like a sensible thing to do—location data is very sensitive—it’s harder to see the privacy or technical logic behind the Brotli restriction, other than a desire to see everyone move to HTTPS. But, a technical reason is given, and it’s that this will help prevent proxies from mangling content.
What to do about it?
First you need to get an SSL certificate. This doesn’t have to cost you a penny (unless you need to hire someone to make the technical changes for you) since basic, but adequate, SSL certificates are available for free from startssl.com.
To get a free SSL certificate, you’ll need to set up an account with them. To do this you’ll first need to install their certificate in your browser so that you can log in to their website without a username or password (this is before you get to the SSL certificate for you own website). This might seem slightly confusing—you’re probably more used to logging into a site with a username and password—but if you follow their instructions you’ll have your certificate within half an hour.
Next you need to install the certificate on your server. How to do this will depend on the type of hosting you have, and whether you have shell access. In some cases you may have to ask your host provider to install the certificate for you. Most modern hosting, even shared hosting with shared IP addresses, can support SSL (thanks to SNI). That is to say, you don’t need a dedicated IP address for SSL/HTTPS hosting. Any modern hosting provider should be able to facilitate your move to HTTPS, with or without a dedicated IP address. If they can’t, then it’s time to reconsider your hosting solution!
Let’s Encrypt is another free certificate provider and authority, which will automate the entire process of obtaining and installing the certificate where possible. This is currently in public beta, which means you can get it right now. You’ll need to clone their git repository and then follow the Let’s Encrypt Start Guide here.
When will this happen?
According to the Chromium release calendar, version 50 is due to reach stable channels the week of April 29th. Chromium is the open-source browser that Chrome is based on. So, it could make it into a stable Chrome release maybe eight weeks, maybe twelve weeks—hard to say for sure—but some time soon after this.
What will happen if you do nothing?
If your site remains insecure and it attempts to use the geolocation API, a notice will be output to the console, indicating that it is not available without HTTPS. For the end user, who doesn’t see the console, it simply won’t work.