Chrome to dynamically point out “Not secure” HTTP sites

Google expects HTTPS to become the default, and is preparing users for it by slowly moving Chrome towards showing only negative security indicators.

Google’s own numbers showed back in February that 68% of Chrome traffic on both Android and Windows was encrypted, as was 78% of Chrome traffic on both Chrome OS and Mac. By now, these numbers are surely even higher.

“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure,” Emily Schechter, Product Manager, Chrome Security, explained.

The changes

Starting with Chrome 69, which is scheduled to be released in September, HTTPS sites will no longer sport the green lock and designation “Secure” before the URL in the address bar. Instead, it will just show a grey lock icon. The final goal is to drop the lock icon as well, showing just the URL without any particular markings if the site is using HTTPS.

Another announced change will be pushed out with Chrome 70 (scheduled to be released in October 2018): Google will start showing the red “Not secure” warning when users enter data on HTTP pages.

Chrome HTTP sites

“I like the idea of assuming a ‘secure’ setting by default and training users to accept a secure, default setting. I expect users will be more likely to take ‘not secure’ warnings more seriously rather than actively check that a website is secure, as in the past,” says Dr. Engin Kirda, co-founder and Chief Architect at Lastline and Professor of Computer Science at Northeastern University.

“Research has shown that marking certain parts of the browser with visual cues improves security. I am sure that Google has conducted some experiments and have realized that the new approach is probably more effective.”

Don't miss