Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
With the release of Chrome 56 in January 2017, Google’s browser started marking HTTP pages that collect passwords or credit cards as “Not Secure” in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we’re currently on Chrome 58) will take this to the next level.
Passwords and credit cards are naturally the most important data to keep private, but ideally no data that users type into websites should be accessible to others on the network. Chrome 62 will thus show the “Not secure” warning when users type data into HTTP sites.
As for browsing in Incognito mode, Google believes users have “increased expectations of privacy.” But in this mode, HTTP browsing is potentially visible to others on the network just like in normal mode. Chrome 62 will thus warn users when visiting an HTTP page in Incognito mode.
Google’s reasoning for highlighting HTTP sites as non-secure remains the same:
When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you. Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria.
This is Google’s way of pushing the web towards HTTPS. As of November 2016, more than half of Chrome desktop page loads are served over HTTPS, but the company wants to push that as close to 100 percent as possible.
Google still isn’t sharing exactly when Chrome will label all HTTP pages as non-secure. When it does, the HTTP security indicator will be changed to the red triangle that is currently used for broken HTTPS pages.