Google today announced its next steps for how Chrome labels HTTP and HTTPS sites. Starting in September 2018, Chrome will stop marking HTTPS sites as “Secure” in its address bar. And then in October 2018, Chrome will start displaying a red “Not secure” label when users enter data into HTTP pages.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
Google has been pushing the web to HTTPS for years, but it accelerated its efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.”
With the release of Chrome 68 in July, here is what HTTP sites will look like in the address bar:
Notice that they are labeled as “Not secure” but the text is still gray.
With the release of Chrome 69 in September, HTTPS sites will no longer sport the “Secure” wording:
This is an odd decision. I prefer seeing the green “Secure” label when I’m about to log in to a website or enter credit card information.
Google believes, however, that “users should expect that the web is safe by default” and that they will only be warned “when there’s an issue.” As a result, Chrome’s positive security indicators are being removed “so that the default unmarked state is secure.”
With the release of Chrome 70 in October, HTTP sites will show a red “Not secure” warning when users enter data:
Notice how the page is already labeled as “Not secure” in gray, but the text turns red upon entering data.
Google’s plan has always been to mark all HTTP sites as “Not secure” in red. This is just the latest stepping stone. But now we’re also learning that Chrome will eventually only focus on these negative red labels and remove the green positive ones.
In February, Google shared that over 78 percent of Chrome traffic on both Chrome OS and Mac was HTTPS, while 68 percent of Chrome traffic on Android and Windows was HTTPS. We reached out to Google today to see if the company was willing to share an update on these figures. Update: No new figures, but you can view the latest progress for yourself here.