Back in September 2016 Google Announced on their Security Blog that they were going to label sites that collect passwords or Credit Card details without a valid security certificate as “Not Secure”. Without a valid security certificate the contents of a website can be modified before they reach the end user, so sensitive information can be intercepted.
Historically people have been told to look for the padlock symbol but Google research has shown that many people do not look for the padlock symbol that shows a site is secure. Therefore Google are to add warnings in the address bar.
It is also very important to ensure that your security certificate is correctly configured and that you test your site in all major browsers. Browsing on the Asda.com site today I see this –
I would think this would be sufficient warning for most of their customers not to go further. If you look at the site on Firefox all seems fine unless you click next to the URL and then an “Connection is not secure” warning appears.
On my Android mobile in Chrome the site loads with a red no-https warning and the site doesn’t load properly
In Microsoft Edge however, if you just type “asda.com” in the URL bar everything looks fine, there is no indication that anything is insecure unless you enter “https://www.asda.com” and then you get an insecure warning
It does appear that Asda.com do have a security certificate but it is configured incorrectly.