Chrome to Add Security Warning to HTTP Sites Beginning 2017

The Google Chrome Security team announced yesterday the browser will begin labeling HTTP connections as insecure starting in January 2017. Chrome currently displays a green lock icon in the address bar for sites that are secure but the security team will be taking it one step further by displaying a warning on unencrypted sites.

“Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure,” said Chrome Security Team member Emily Schechter. The first step in the plan is to display a “Not secure” label in the address bar:

chrome-http-warning

The announcement cited a study on connection security indicators that showed users do not perceive the lack of a green lock icon as a warning that a site is not secure and can become blind to warnings they see too frequently. The Chrome Security Team used this information to write a plan for changing the browser to clearly display that HTTP sites do not provide data security.

Chrome 56 will be the first release that labels HTTP pages with password or credit card form fields as insecure. Google plans to extend the HTTP warnings to Incognito mode in following releases and will eventually add a prominent red triangle to the label on all HTTP pages.

Site owners who want to avoid having their HTTP sites labeled as not secure have roughly three months to secure their sites. Chrome’s long-term plan to mark HTTP sites as insecure, coupled with the progress the free Let’s Encrypt initiative is making, may help close the gap on the web’s remaining unencrypted sites.

24 Comments


  1. Scare tactics rarely work, and the implication that a site with SSL is secure is just false in any case. I predict that 99% of the users will ignore this like they ignore the mixed content warning that is on many sites that use HTTPS. They will categorize it under “too technical for me to understand” and will keep on with their lives

    Report


    1. This is going to have to be one of those times we completely disagree Mark. :)

      Report


    2. The announcement cited a study on connection security indicators that showed users do not perceive the lack of a green lock icon as a warning that a site is not secure and can become blind to warnings they see too frequently.

      It’s not about scare. The current icon in the address bar does not convey enough information to the user to get their attention. I think the “not secure” label with a eye-catching background will accomplish the task. Way to go, Google!

      Report


      1. It is a scare tactic. There is a big fight over who can monitor any of your “movements” on the internet between the big corps and government. Monitoring is about privacy and rarely about security, as the most important security factor is whether the site is secure, not if the communication is encrypted (it takes a goverment to monitor your communication on the wire, never heard of a non targeted attack that hit anyone who were just surfing the net from his home) so calling it “not secure” instead of “not private” seems like an obvious attempt to make the random net user be afraid and in return put pressure on site owners to go HTTPS.

        Since most sites are HTTP only, this warning is just going to become a constant UI noise ending in effectively the same situation as today.

        Report


      2. ISPs in developing countries routinely inject ads into plain http web pages i.e. technically a man in the middle attack. So yeah it happens all the time just not where you live.

        You mentioned scare tactics above. You should know that google started with the carrot and is only now reaching for the stick.

        This whole thing started a few years back when they announced that HTTPS sites would enjoy an advantage in search engine results. This was done to encourage webmasters to make their sites HTTPS.

        It worked to a large extent because encrypted traffic on the web went from <20% to over 60%. It is only now that they are employing the stick by warning users about plain http sites.

        Report


  2. Not entirely clear from the post, but very interesting to know is, whether the “almighty” Google will only label the HTTP page with password as insecure or will it label the entire site as insecure?

    Report


    1. I would guess only that page – for now. Waiting can’t end well and the cost is marginal even if you go with a paid cert.

      Since they put it this way….

      “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

      ….I’m not waiting around to see what “eventually” means to them. That could mean 2 years or that could just as easily mean next Tuesday. It wouldn’t be the first time Google has dropped something really early (I’m looking at you AdWords – grrrrrrr). :)

      Top of my to-do list right now.

      Report


    2. The article above says that they are starting with login forms and credit card entry forms but will eventually expand to all HTTP pages.

      Report


  3. So, if the site is just a brochure site with a contact form, then it will still show as okay? For now?

    Report


    1. I think it will be fine. It is the password and credit card fields that Google Chrome will be targeting.

      But I would still recommend to implement SSL on your site because HTTPS sites get higher indexing score by Google than HTTP sites.

      Report


      1. There is no way for a browser to know which fields are password and which are credit card, and obviously with JS you can create dynamic form after the page was loaded and therefor evade the notice at all.

        Report


    2. “For now” is the variable that made me change everything now. :)

      Report


  4. I gotta agree with Mark on this one. It’s incentive to encourage https, but will have no actual effect on real security.

    Report


    1. It will make a difference to third world users. For example one ISP here replaces google analytics javascript files with its own popup ads script. It can only do that on plain HTTP sites.

      The fact is you can’t really trust anything that has not been transmitted via an encrypted connection. It could have been modified by anyone.

      Report


      1. How can you say that “it could have been modified by anyone” when in practice your only evidence is that “it could have been modified by an ISP”, and if your ISP is evil you are most likely in a big problem in any case. They will just tell you to install a browser add-on to “improve” your experience.

        In china for example ISPs are probably required by law to intercept traffic and analyze it, so this kind of alert will be issued to all nice western sites but will not be displayed for the evil sites of companies which are in the pocket of the government.

        As I said, encryption by itself do not provide security, and lack of encryption do not mean that you should fear surfing..

        Report


      2. This is not only about ISP’s, hackers on the same network as you (e.g a coffee shop or train station WiFi) can inject malware into any unencrypted website they want. It doesn’t matter if the site is not transferring passwords, even the simplest site with only contact information is today a target for MitM attacks.

        Deprecating HTTP and moving to HTTPS does not only bring privacy and security, it is also shown – as long as you configure it correctly – to have major speed improvements. https://www.httpvshttps.com/

        Report


      3. Oh the WiFi threat…. have you ever used a WiFi in a coffeeshop? Do you think the owners of coffeeshop are focused on serving food or hacking computers? In most places I have been, knowing how to restart the router when it fails is the limit of the technological understanding of the people working there. They just get the router from the ISP and nothing more, the idea that they will rent additional/more expensive equipment just to hack the 10 people a day that use wifi there for a 1-2$ profit, is just ridiculous, especially since it will open them to being sued for computer crimes and/or copyright infringement.

        A threat of a security camera recording your bank details while you enter them is more realistic.

        And why should anyone that cares about his security use open WiFi at all? Now days everybody has a smartphone with data plan and tethering ability.

        Report


  5. Well, I just avoided the whole mess by installing the WP Encrypt plugin and activating my new Let’s Encrypt cert.

    For God’s sake people – it’s FREE – and it automatically renews every 90 days so I’ll never need to touch it again.

    My host was happy to help me set it up and now I have an advantage over my competitors that aren’t SECURE. :)

    Report


  6. do we have to encrypt all pages? or just pages that handle sensitive information?

    Report


    1. Did you read the announcement?

      Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

      Report


  7. This is definitely a scare tactic by Google, but I don’t see it as being a bad thing. Those that will ignore it, have probably been ignoring the HTTPS issue for years now. I think it will definitely help at least bring attention to people possibly looking at the benefits of HTTPS, such as encrypted data, SEO, performance in some cases (HTTP/2), better referral data from Google Analytics, trust, and now… well I guess you can add Chrome labels to the list.

    For those of you debating migration, don’t forget the SEO aspects as I have seen some people completely kill their traffic overnight. Such as creating new GSC profile, re-submitting disavow file, 301 redirects, etc. Here is a good guide: https://kinsta.com/blog/http-to-https/

    Report


  8. Good on you Google.

    Mobile, AMP and now https.

    I appreciate your efforts to improve the Internet and the quality of the websites.

    Report


  9. Hi. Thanks for the info, I still have a few questions though. What about blogs with just comment fields? Will be they marked as non secure? Is there free certificates that will do the work or I have to by one for each blog?

    Report


  10. does anyone know if the backend’s login page of a wordpress site counts as a “login” ? if so every wordpress/drupal/joomla site will be affected.

    Report

Comments are closed.