Chrome now flags HTTP sites as “not secure”

Google has rolled out the much-anticipated version 68 of its Chrome browser that, most importantly, labels HTTP websites as “not secure”.

Available for Windows, Mac and Linux, Chrome’s latest iteration inserts a “not secure” indicator to the left of the URL bar for any website that uses the unencrypted HTTP connection between the site’s server and the user’s computer.

“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” reads the announcement by Chrome Security Product Manager Emily Schechter.

The move, which we also wrote about in February, is part of Google’s long-standing push to eliminate unencrypted connections by nudging website owners to switch to HTTPS, which is HTTP’s secure version.

HTTPS, or Hypertext Transfer Protocol Secure, encrypts web traffic, thus ensuring that submitted data is safe from prying eyes while in transmission. On the flip side, the protocol’s presence alone does not automatically mean that the site can be 100% trusted, as even a site with HTTPS can be malicious.

Source: blog.google

Schechter noted the “incredible progress“ in HTTPS adoption over the past two years, i.e. since Google’s announcement that sites without HTTPS encryption would ultimately come to be labelled as “not secure”. “83 of the top 100 sites on the web use HTTPS by default, up from 37,” she wrote.

Obviously, there’s still some way to go, with highly popular sites that have yet to migrate to HTTPS conveniently listed on Why No HTTPS?. Cloud security provider Cloudflare said last month that some 540,000 of the nearly 1 million top websites worldwide don’t redirect users to HTTPS.

More of HTTPS on the horizon

Google isn’t done with changes to how it treats HTTP and HTTPS pages. Chrome 69, due in September, will drop the “secure” indicator for HTTPS pages.

“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure,” said the firm in May.

Then, as of October, Chrome 70 will display a red "not secure" indicator whenever a user enters text on an HTTP page.