Chrome to strip “secure” from HTTPS sites in September

Google will soon update Chrome’s security indicators for HTTP and HTTPS pages to align its browser warnings with a web where secure connections are the norm. 

Google announced in February that in Chrome 68 — due out in Stable this July — it would start marking all HTTP sites as “not secure”, using Chrome and it’s one billion-plus users to shame site operators into enabling HTTPS, the secure version of HTTP which encrypts traffic between a browser and web server. 

The process involves acquiring the necessary SSL/TLS certificates from a Certificate Authority like Let’s Encrypt and then configuring the site to support HTTPS.

Google last week flagged the next set of changes coming to Chrome as it adapts security indicators in the browser for the default state to be secure.     

When Chrome 69 is released in September Google’s browser will no longer display “secure” on an HTTPS website. The current browser, Chrome 67, shows the word “secure” in green next to a green padlock symbol. Chrome 69 will merely show the padlock in the same grey as the website name to convey that users should expect websites to be HTTPS. 

Eventually, when enough of the web has enabled HTTPS, Google plans to remove the padlock symbol too.

In the meantime and after Chrome 69 helps normalize HTTPS in users’ minds, Google will ramp up Chrome warnings for non-secure HTTP pages, which it, with the backing of Firefox maker Mozilla, has been attempting to eradicate since 2014. 

Chrome 70’s release in October will introduce a more alarming red warning for HTTP sites with the non-secure icon on pages where there is any user input field, such as a username and password field. Chrome 68’s “not secure” warning in this context is only in gray. while the red is meant to indicate affirmatively that a site is not secure.  

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” noted Emily Schechter, a product manager with Google’s Chrome security team. 

Read more: VirusTotal lets devs check whether a legit app will wrongly be flagged as malware

All other pages without a user input field will remain labeled as “not secure” but without the extra red alarm bells. 

The Chromium Projects page for the proposal for marking HTTP as secure doesn’t state a final date for when it will mark all HTTP pages as affirmatively not secure.

Google's HTTPS section of its Transparency report shows a clear upward trend for HTTPS usage around the world. Now over 70 percent of pages loaded on Chrome on Windows are HTTPS connections, with that number rising to 84 percent for Chrome OS users, and 81 percent on Mac.     

Tags GoogleFirefoxchromeHTTPS

Show Comments