Chrome starts marking all HTTP sites as “Not secure”

If you’re using Google Chrome and you suddenly start seeing sites you usually visit labeled as “Not secure”, it’s because Google wants to push site owners to use HTTPS, i.e., encrypt the traffic passing from their visitors to their servers and vice versa.

HTTP not secure

The move didn’t come as a surprise – it was announced earlier this year. Google first started labeling sites that transmit passwords or credit cards information over HTTP as Not secure in early 2017, then started doing the same with FTP sites, and is now flagging all sites without traffic encryption.

The “Not secure” mark is currently in grey, but Chrome 70 (scheduled to be released in October 2018) will start showing the red “Not secure” warning when users enter data on HTTP pages:

HTTP not secure

In a few months, Google also intends to remove positive security indicators so that the default unmarked state is secure.

Starting with Chrome 69, which is scheduled to be released in September, HTTPS sites will no longer sport the green lock and designation “Secure” before the URL in the address bar. Instead, it will just show a grey lock icon. The final goal is to drop the lock icon as well, showing just the URL without any particular markings if the site is using HTTPS.

HTTP prevalence

How many sites still don’t encrypt traffic? According to Cloudflare’s count, of the top million sites, 542,605 will show “not secure” in Chrome starting today.

Security professionals Troy Hunt and Scott Helme have also launched Why No HTTPS?, a website showing which of the world most visited websites still load over an insecure connection without redirecting to a secure, encrypted connection.

Visitors can also check out which popular sites in each country are still served over HTTP.

Why switch to HTTPS?

HTTP site owners that want their visitors to stick around and not flee when their site is marked as “Not secure” should consider implementing HTTPS.

Encrypting a site’s traffic is easy and not expensive. For example, Let’s Encrypt, the non-profit Certificate Authority (CA) backed by the Electronic Frontier Foundation, Mozilla, Cisco, Akamai, and others, offers free security certificates.

Another positive thing for sites using HTTPS: they will be ranked higher in Google Search results.

Don't miss