Google today announced the third step in its browser’s war on HTTP sites. Starting in July 2018, Chrome will mark all HTTP as not secure right in its address bar.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
Google has been pushing the web to HTTPS for years, but it accelerated its efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.”
As a result, over 78 percent of Chrome traffic on both Chrome OS and Mac are now HTTPS, while 68 percent of Chrome traffic on Android and Windows is also HTTPS. But Google is not stopping there.
With the release of Chrome 68 in July 2018, here is how HTTP sites will look like in the address bar:
Here is how Google explains its thinking behind the change:
Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.
The plan was always to mark all HTTP sites as “Not secure.” Eventually, Google will change the icon beside the “Not secure” label and make the text red to further emphasize you should not trust HTTP sites:
Google also announced today that the latest version of Lighthouse, its automated tool for improving web pages, now features mixed content audits to help developers migrate their sites to HTTPS. The new audit shows developers which resources a site loads using HTTP and which ones can be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.