This article is more than 1 year old

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Web giant will start labeling insecure websites insecure

Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP.

If you use the ad giant's Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red exclamation mark and the text "Not secure," also in red, at the start of the web address.

Those that do use certificates and so have an HTTPS connection will continue to get a nice little green padlock icon.

The decision was announced on Google's security blog and will "help users browse the web safely." It is part of "a long-term plan to mark all HTTP sites as non-secure."

If a website is not secured, it is possible for someone else to interfere with the website before you see it, if they are on the same network. For a long time, only websites with serious security concerns bothered to get a certificate – like businesses taking payments or banks allowing people to log into their accounts.

Over time, however, it has grown increasingly important to include additional security. Google notes that more than half the pages accessed through Chrome are now HTTPS – something it has decided is a milestone.

Despite its long existence, introducing a security certificate to a website can still throw up problems. There is also an additional and persistent cost that is small, but still acts as a barrier to small businesses in particular.

Google worries that users are really aware of the potential risk they face if they provide login details and credit card information to a website that does not have an electronic security certificate.

Of course, HTTPS does not provide a certainty of security. Just this week a study showed that millions of internet-connected devices make the keys used for encrypting information readily available, immediately undermining whatever additional security the certificate provides.

Not everyone is excited about the prospect of moving to full HTTPS, either. As one NASA sysadmin pleaded earlier this year, lots of people rely on plain old HTTP to peer-share information.

"Studies show that users do not perceive the lack of a 'secure' icon as a warning," his post states. "Users [also] become blind to warnings that occur too frequently."

Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," and future releases will extend that approach to all HTTP pages if people are visiting them in its "incognito" mode.

"Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS," the post says. ®

More about


Send us news

Other stories you might like