Around two years ago, Google had announced its plan to label all HTTP connections on Chrome as ‘not secure’. The day has finally come with the release of Chrome 68.
When any website is loaded over HTTP, the connection to the website is not secure and encrypted. What this means is that the target website has not installed an SSL Certificate, and anyone on the network can access the information going back and forth.
The HTTPS encrypts the connection, so the confidential information like passwords or credit card details remain private when submitted to a website.
From now on, all the HTTP websites will display a ‘not secure’ warning in the address bar, while the HTTPS websites will remain unaffected. Google said that the default unmarked state is secure.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome Security Product Manager.
Chrome’s ‘not secure’ warning will not only help end-users to know if the website is secure, but also motivate the website owners to strengthen the security of their sites.
According to Google’s Transparency Report, 85% of Chrome traffic on ChromeOS is now protected, up from 67% in 2016. Furthermore, 83% of top 100 sites on internet use HTTPS by default, up from just 37%.
Google’s approach to secure the internet has shown positive results in last two years. The search engine giant began the approach in two situations— show ‘not secure’ when someone enters data on an HTTP page, and on all HTTP pages visited in Incognito mode.
Eventually, Google Chrome will only mark the sites which are not secure.
Also read: Google enables Site Isolation in Chrome to mitigate malicious attacks like Spectre
“The default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages,” wrote Google in a blog post.
It is recommended that non-HTTPS sites should get a trusted SSL certificate in order to earn their customers’ trust and contribute towards making the net a safer place.
Read more: How can you secure your site and go from HTTP to HTTPS?
In many ways I think it is better these days to alert to insecure as opposed to secure sites.
The only time I’ll be concerned is if they make it difficult to access insecure sites as there are times when it may not be as much of an issue e.g. home LAN, at least anything more difficult than the way they handle self-signed certificates.