Google today revealed the first step in its long-term plan to mark all HTTP sites as non-secure in Chrome. Starting in January 2017, Chrome will mark HTTP sites that transmit passwords or credit cards as non-secure.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). In August 2014, Google’s search algorithm started prioritizing encrypted sites in search results with a slight ranking boost and in December 2015, Google Search started indexing HTTPS pages by default.
Currently, Chrome indicates connection security with an icon in the address bar, but does not explicitly label HTTP connections as non-secure. This will change with the release of Chrome 56, according to the Google’s roadmap (we’re on Chrome 53 right now, for those keeping track). In a similar vein, Google also plans to drop SHA-1 encryption from Chrome by January 1, 2017.
For HTTP connections that transmit password or credit cards, Chrome’s address bar will show “Not secure” next year (instead of a neutral indicator):
Google’s reasoning for highlighting HTTP sites as non-secure is simple:
This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.
In short, this is Google’s way of pushing the web towards HTTPS. Currently, more than half of Chrome desktop page loads are served over HTTPS, but the company wants to push that as close to 100 percent as possible.
The change early next year is just the first step. Google doesn’t say exactly when, but in future Chrome versions, the HTTP warnings will be extended further. The company offers an example of a next step: labeling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.
At some point, Chrome will label all HTTP pages as non-secure. The HTTP security indicator will also be changed to the red triangle that is currently used for broken HTTPS pages.