Google’s Chrome Browser is now listing all unencrypted sites as explicitly “not secure,” beginning with today’s release of Chrome 68. The change applies equally to all HTTP sites, which will now display a “Not Secure” image in the address bar. HTTPS-enabled sites are unaffected by the change.
First announced in February, Chrome’s design shift is the latest move in a multipronged push by Google for more encryption on the web. Login sites have displayed similar “not secure” warnings since 2016, with gradually escalating alarms for expired certificates. Google has also subtly boosted HTTPS-enabled sites in search rankings since 2014, a significant incentive for webmasters to adopt the protection.
In a blog post announcing the change, Google described it as “a milestone for Chrome security.”
Along with the product-based nudges, Google has funded significant research into the encryption standards underlying HTTPS, donating server time to demonstrate a SHA-1 collision in February 2017.
HTTPS is a form of web encryption that secures the connection between the user and the sites they visit. Websites and ad networks served without encryption are vulnerable to malware injection, a common tactic for low-level cybercriminals.
HTTPS certificates and protocols are widely available — and often free of charge — either through content distribution networks like Cloudflare or public service projects like Let’s Encrypt. That availability has spurred greater adoption in recent years. Google’s own HTTPS statistics show that 84 percent of pages loaded by US Chrome users are currently encrypted, compared to just 47 percent in July 2015.