Google has announced that beginning in July 2018, with the launch of Google Chrome 68, all websites which connect via an HTTP connection, instead of HTTPS, will be clearly marked as “not secure”. Treatment of HTTP webpages has been an evolving process where more and more insecure sites were labelled as “not secure”, depending on the page and whether or not the user was in Incognito mode. Today’s announcement means “not secure” will be shown on all HTTP websites.
Google started out by only marking pages without encryption that collect passwords and credit card information, then it started marking pages where any data was entered over an insecure connection, and on all HTTP pages visited in Incognito mode. Now, all insecure websites shall be marked.
In the announcement, Emily Schechter, Chrome Security Product Manager, said:
“Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”
According to Google’s stats, 68% of Chrome traffic on Android and Windows is now using HTTPS, over 78% of Chrome traffic on Chrome OS and Mac is now using HTTPS, and 81 of the top 100 sites on the web use HTTPS by default. One project which has helped propel HTTPS forward is Let’s Encrypt. Last summer it managed to reach 100 million issued certificates. Let’s Encrypt has been very popular because it allows site admins to upgrade sites to HTTPS at no cost and in an automated fashion.