Google Chrome Rolls Out “Not Secure” Warning for Plain HTTP Sites

As part of a long term plan to push the web to adopt HTTPS encryption, Google Chrome is now marking all plain HTTP sites as “not secure,” as of July 24, 2018, with the release of Chrome 68. Previously, the “not secure” warning was hidden behind the security indicator in the URL bar as shown below.

That warning has become more prominent with the release of Chrome 68. The browser now immediately displays the “Not secure” message in the omnibox for all HTTP pages.

Today Google announced a time frame for eventually marking HTTP sites with a red “not secure” warning:

Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.

image source: Google Security Blog

Google Chrome currently captures 60% of the browser marketshare worldwide, making it one of the company’s most effective vehicles for driving HTTPS adoption. Let’s Encrypt, the free and open certificate authority (of which Chrome is a platinum sponsor), has also been a key player in precipitating the rise in secure traffic over the past few years. Firefox Telemetry shows that HTTPS traffic is at 81% for US users and 73% for all users.

Google’s Transparency report shows similar numbers for percentage of pages loaded over HTTPS in Chrome. 84% of US traffic is encrypted by HTTPS.

Google has even more weapons in its arsenal for compelling website owners to switch to HTTPS. Even before Chrome began flagging unencrypted sites, the search engine added HTTPS as a ranking signal in 2014. It started as a lightweight signal that affected fewer than 1% of global queries. Google has also indicated that HTTPS may break ties between two equal search results, making a difference for competitive niches. With more sites adopting HTTPS as the norm, the company may choose to strengthen the signal in the future.

Not everyone is comfortable with a for-profit company making an aggressive push to require websites to deliver content over HTTPS. Some fear that prioritizing encryption in search results, while also using Chrome to cast doubt on websites’ security, is just the beginning.

Dave Winer, one of Google’s most vocal critics regarding this initiative, sees the push towards HTTPS as the company’s attempt to take control of the open web. His concern is that if Google succeeds, it might “make a lot of the web’s history inaccessible.”

“Google makes a popular browser and is a tech industry leader,” Winer said. “They can, they believe, encircle the web, and at first warn users as they access HTTP content. Very likely they will do more, requiring the user to consent to open a page, and then to block the pages outright.”

Others have speculated that another driving factor behind Google’s push for HTTPS adoption may be its investment in advancing PWA technologies, which require HTTPS to be enabled. Last year Google dumped Chrome apps from the Chrome Web Store in favor of building PWAs that can be installed on the desktop. HTTPS is a requirement for the permission workflows, new features, and updated APIs that the company is using to build its future products.

It’s easy to see how HTTPS is critical for e-commerce, banking, and other sites that collect highly sensitive data from users, but many wonder if it is necessary for simple blogs and content websites. Google contends that all websites need HTTPS protection to prevent intruders from injecting ads or exploits.

Few would dispute the value of HTTPS but critics are wary of Google establishing itself as the arbiter of safe browsing on the web.

For the moment, Winer seems to be committed to using HTTP to deliver his content. In Google’s feverish quest to push the entire web to adopt HTTPS, sites that are holding fast to HTTP on principle now appear as a sort of protest.

“This blog and all my other sites use HTTP,” Winer said. “I don’t see that changing. I expect this will make writing for the web more of a chore. That’s life I guess. I don’t want Google to be able to mold the web to its needs. I never signed on to being a Google developer, and never would. Basic rule: Google is a guest on the web, as we all are, and guests don’t make the rules.”

12 Comments


  1. In regards to PWA, note that the previously-reported PWA feature plugin includes better support for HTTPS in WordPress as one of its purposes. This is because service workers depends on HTTPS to be installed.

    Report


    1. So the idea is to force HTTPS on everyone if this feature plugin transits to core?

      SSL / TLS in itself is NOT secure, if you don’t secure the other two points of “interest”, ie. client (= your local system) and, much more important, server. IMHO this is all a somewhat false-flag operation, because everyone non-deeply involved – and even then – is now thinking: “SSL makes everything secure!” – which of corpse is WRONG. If you don’t update your WP install, keep your server software up-to-date OR secure, then no matter how much strong SSL encryption you throw around, your site is still destined to be hacked and abused as eg. trojan horse malware hole in the end.

      cu, w0lf.

      Report


      1. No. The plugin intends to improve HTTPS support, not force a site to use HTTPS.

        Report


  2. I’ve thought about this a lot. Google doesn’t make the rules for any web browser except Chrome. If anyone doesn’t like how it’s changing, they can use Firefox or even Edge.

    Report


  3. Google does not enforce not secure for many government websites

    Report


    1. I can’t imagine Google ever doing this specifically because a website is government related.

      Report


  4. My blog, http://scripting.com , is not “not secure.” It uses the standard protocol of the web, HTTP. It will not hurt you.

    HTTPS has nothing to do with whether his blog is secure. It has everything to do with whether a visitor’s connection to the blog is secure. If the connection is not secure, then it doesn’t matter how secure the blog itself is, anyone that can intercept the connection can do dangerous stuff. Without HTTPS, you actually have no control over what your visitors actually get served when they visit your site. (HTTPS doesn’t fix every ill either, but it is a big step in the right direction.)

    Report


    1. In what way? People are still not going to update. In some cases, it pushed them into the right direction, letting professionals (like me) update and upgrade their sites to current software and standards, but there are also many cases where folks just “install” SSL and be done with it. Nothing changes, sites stay hugely unsecure. And that is my personal beef with all of that: The normal Joe Schmoe gets the impression, if you set up your site with SSL, everything is back to normal and all is going to be secure.

      So no, its not a step into the right direction. Its one step forward and a half or even one step back, so we are at best slighty better than before, or just on the same zero state as before.

      cu, w0lf.

      Report


      1. You are right—people need to understand the difference between the server being secure and the connection being secure. And this may not help with that, although it is a good opportunity for education. But since in the end the plan is to no longer say that a site (really, connection) is “secure” just because it has TLS, I’d still say that this is a step in the right direction. TLS doesn’t make your site secure, but not having does make every connection to the site insecure.

        Report


  5. The “Encrypt Everything” initiative is not Google driven. It is an industry move that has been happening for years. Let’s Encrypt gives away free SSL certificates, and there are websites like ZeroSSL that provide you with Let’s Encrypt certificates through a web interface if you cannot install LE on your server. There is no reason to avoid SSL anymore.

    As others have indicated, an SSL-encrypted connection is just one step. Is your server secure? Is your CMS login secure? Is your file system secure? Are your plugins secure? Is your database secure? SSL is merely protecting your transport, but it’s a big improvement.

    SSL ensures the data sent from the server is the data the client receives. There are no unintended ad injections, and no code manipulations. Your content is not snooped and used for any other purposes, regardless if it contains personal data or not. Do you want the world knowing what you’re reading about, anyway?

    Report

Comments are closed.