Blog

Google Chrome Starts Marking Unsecured HTTP Sites as “Not Secure”

Reading Time: 6 mins

Google announced a while ago that Chrome would begin alerting users when visiting a website that was unsecured and still on HTTP rather than HTTPS in July 2018 – and that time has come.

In Google’s official announcement, it has said:

Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users.

When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site.

Chrome’s “not secure” warning helps you understand when the connection to the site you’re on isn’t secure and, at the same time, motivates the site’s owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress.

…Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.

Version 68 of Google’s Chrome browser displays a fairly visible warning whenever you are visiting an HTTP website. There is no green padlock with displays the word secure within the address bar, which has become almost expected over the past few years.

Instead, the words “not secure” are displayed. If a user is to click on that icon, there is a warning which advises users to not enter any sensitive or private information on the website, as it is deemed insecure and therefore vulnerable to be stolen by hackers.

By Chrome 69 which is due in September 2018, secure sites will display a black lock icon, rather than a green padlock.

By the time Chrome 70 comes around in October, the not secure warning on HTTP websites will become a noticeable red colour.

In Google’s transparency report it found:

  • 76 percent of Chrome traffic on Android is now protected, up from 42 percent
  • 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
  • 83 of the top 100 sites on the web use HTTPS by default, up from 37

Google has also stated the following:

Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).

Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages.

We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities — so don’t wait to migrate to HTTPS! Check out our set-up guides to get started.

 

Google is doing this largely to indicate to webmasters and businesses that they need to update credentials. But it is still an indication to the user that this isn’t a safe website all the same, and they will know no real difference.

Anything taking place on an HTTP site can be sent unencrypted around the world, which leaves it open to trackers, malicious software, or for redirects to fake websites.

HTTPS has the benefit that it is more secure, and therefore safeguards against these threats.

There’s no real reason against adopting HTTPS, with the benefits including:

  • Added security
  • Upgrading is simpler than ever
  • Added peace of mind for potential customers browsing the site
  • More conversions due to additional customer comfort
  • SEO benefits as HTTPS is a ranking signal

If you need help upgrading to HTTPS, get in touch with the team who will be happy to help.