Chrome will mark all HTTP sites as ‘not secure’ starting in July

Starting in July, Google Chrome will mark all HTTP sites as “not secure,” according to a blog post published today by Chrome security product manager Emily Schechter. Chrome currently displays a neutral information icon, but starting with version 68, the browser will warn users with an extra notification in the address bar. Chrome currently marks HTTPS-encrypted sites with a green lock icon and “Secure” sign.

Google has been nudging users away from unencrypted sites for years, but this is the most forceful nudge yet. Google search began down-ranking unencrypted sites in 2015, and the following year, the Chrome team instituted a similar warning for unencrypted password fields.

The Chrome team said today’s announcement was mostly brought on by increased HTTPS adoption. Eighty-one of the top 100 sites on the web default to HTTPS, and a strong majority of Chrome traffic is already encrypted. “Based on the awesome rate that sites have been migrating to HTTPS and the strong trajectory through this year,” Schechter said, “we think that in July the balance will be tipped enough so that we can mark all HTTP sites.”

The planned change in the Chrome address bar.

HTTPS encryption protects the channel between your browser and the website you’re visiting, ensuring no one in the middle can tamper with the traffic or spy on what you’re doing. Without that encryption, someone with access to your router or ISP could intercept information sent to websites or inject malware into otherwise legitimate pages.

HTTPS has also become much easier to implement through automated services like Let’s Encrypt, giving sites even less of an excuse not to adopt it. As part of the same post, Google pointed to its own Lighthouse tool, which includes tools for migrating a website to HTTPS.

Comments

What about local intranet sites? For some applications it’s just overhead to use https instead of http.

It still throws the message for local intranet sites too. I already have the feature turned on and it behaves like this. It’s no big deal though.

What about local intranet sites? For some applications it’s just overhead to use https instead of http.

Overhead in what way exactly?

At work I run a certificate authority so that users don’t get warning messages.

Thanks google!

I understand why they’re doing this, but HTTPS isn’t always something necessary or desirable in some scenarios.

So fucking stupid and confusing, and totally hostile to web developers.

If a website is just serving content there is absolutely no need for communications to be encrypted.

It should be up to content providers to determine whether or not they need to use HTTPS, not Google. Google is just being a bully.

Bullying people into safety with information…

That’s new.

The risk website owners take is that there is a chance you lose revenue and traffic in the short term as search engines and ad bots take a while to reindex them again. There is a 30% loss in revenues (usually in the short term) considering the experiences of some websites whose numbers have I seen. When your primary source of income is your website, it takes a leap of faith for webmasters to jump into https.

Or they can just not jump in and lose even more revenue over time as they are ranked lower and lower in Google search.

I used to think that, but now with LetsEncrypt I don’t see why not. It even spurred me to move my website to a much better hosting provider, as my previous one didn’t provide Let’s Encrypt

I totally get that, and my site runs https too. However, I think the problem is that Google is trying to coerce https usage for pointless, self serving reasons.

If you hate it so much then use Firefox or edge(lol). Chrome is only beholden to Google and as such Google can do what it pleases with the product.

FYI this is not a Google thing, Firefox is going to do it too and safari and Opera, etc

Uh yeah, because I totally need HTTPS to read The Verge. Thanks Google.

I don’t mean to be cynical, but this is hardly an altruistic move by the company Google. In an all-HTTPS world, Google has access to all your data inside your HTTPS tunnels ANYWAY so it’s just making users think they’re more private when really, Google is only making it easier for the web to conform to the walled garden of security and privacy that they have the keys to anyway, so to speak.

What is altruistic and nice is HTTPS moves outside of the Google browser which are also non-commercial or -exploitative, like Let’s Encrypt.

Your comment is senseless. Google has access to your data whether website conform to a security standard supported by industry and privacy advocates alike. Google itself has nothing but PR to gain from this move. Users have nothing but security to gain from all sites offering encryption. Man in the middle attacks and deep tracking are prevented with this protocol. If anything https and http2 don’t go far enough.

Save the cynicism for moves which actually hurt users.

View All Comments
Back to top ↑