Chrome will mark HTTP pages as “not secure”

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Starting with Chrome 68, which is scheduled to be released in July 2018, Google will explicitly mark all HTTP sites as “not secure”:

chrome http insecure

According to Google’s numbers, 68% of Chrome traffic on both Android and Windows is now encrypted, as is 78% of Chrome traffic on both Chrome OS and Mac. In July, those numbers are going to be even higher.

“Developers have been transitioning their sites to HTTPS and making the web safer for everyone,” Chrome security product manager Emily Schechter pointed out. “81 of the top 100 sites on the web use HTTPS by default.”

The change is not unexpected

Google has been gradually pushing the Internet towards HTTPS for some years now.

In summer 2014, it started prioritizing websites using HTTPS in Google Search results. In March 2016 Google started tracking and sharing information about its own use of HTTPS, as well as that of the top 100 non-Google sites on the Internet.

In early 2017, Chrome started labeling sites that transmit passwords or credit cards information over HTTP as non-secure. In late 2017, the same label started getting appended to FTP sites.

Starting with Chrome 68, HTTP sites will get labeled as “not secure,” but there is still one last step after that, when the HTTP security indicator will turn red:

chrome http insecure

Chrome is used by 63% of desktop users and 50% of smartphone users, giving Google significant leverage when it comes to pushing for Internet-wide HTTPS.

“Chrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages,” Schechter added.

“The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.”