Time to Finally Say Goodbye to HTTP! Google Starts Shaming Non-HTTPS Sites
The Hypertext Transfer Protocol (HTTP) has had a good, long run for over 25 years. However, it is about to be called out as not-secure starting today since it lacks sufficient protections to safeguard communications against eavesdropping and tampering.
Google has been ramping up its efforts against the use of HTTP in favor of its secure successor, the HTTPS. Along with other industry leaders, including Mozilla, Apple, and Microsoft, the browser make has been pushing websites to switch to HTTPS. With the release of Chrome 68 today, Google has now started labelling websites not using HTTPS as "not-secure."
This notification basically alerts users whenever they are on a non-HTTPS website to stop trusting it with sensitive data. Some of the major organizations, especially educational institutes and hospitals, are yet to make their move to HTTPS.
"Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”," Emily Schechter, Chrome Security Product Manager wrote today. "This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users."
Google had also shared the following stats of HTTPS adoption:
- 76 percent of Chrome traffic on Android is now protected, up from 42 percent
- 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
- 83 of the top 100 sites on the web use HTTPS by default, up from 37
Google believes that users should expect that the web is safe by default. This means that they shouldn't be shown the "secure" make with HTTPS site but warned against not-so-secure HTTP sites. "We’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure," the company had said earlier this year.
This is a gradual process that labels HTTP websites as not-secure starting today with Chrome 68 and then it will remove the “Secure” wording in September 2018 (Chrome 69), replacing it with a lock icon, eventually removing that too.
In today's post announcing these changes, the company wrote:
When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site.
The warning sign carries the potential to significantly affect your site traffic as it could scare away your visitors. However, Google has continued to share some easy set-up guides to help you start the process.