Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields

Google is giving web developers six months to prepare for the next phase of its plan to mark all HTTP pages as 'Not secure'.

October will mark stage two of Google's plan to label all HTTP pages as 'Not secure' in Chrome.

In January, Google started to label some pages in HTTP as non-secure with the release of Chrome 56. This phase affected pages that transmit sensitive information such as login and payment-card data on the web.

The not-secure label indicated that data is being exchanged on an unencrypted connection. HTTPS, the secure version of HTTP, offers better protection against someone on the same network viewing or modifying the traffic, in what is known as a man-in-the-middle attack.

Beginning in October, Chrome will label HTTP pages as insecure if users can input any data. Google highlights this will apply to any page with a search box.

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites," said Emily Schechter, a Chrome Security Team product manager.

The expanded warnings for HTTP pages will are likely to add pressure on site owners to acquire the necessary SSL/TLS certificates and setup HTTPS on their web servers. Also, warnings for any user-input field cast a wider net than login and payment pages, given the frequency of pages with a search box.

Site owners have about six months from now to enable HTTPS with Chrome 62 due for stable release on October 24.

Firefox maker Mozilla hasn't yet said whether it will follow Chrome's new user input warnings, but it also began displaying 'in-context' warnings for payment and login pages in January.

One site owner discovered the consequences of not enabling HTTPS on payment and login pages in March, and, amusingly, filed a bug report to Mozilla requesting the warnings be removed.

Chrome 62 will also introduce warnings for all HTTP pages when the user selects Chrome's Incognito mode.

"When users browse Chrome with Incognito mode, they likely have increased expectations of privacy. However, HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode," said Schechter

Google hasn't said how or when it will expand non-secure warnings to more HTTP pages but it will eventually label all HTTP pages insecure. When that happens, it will display 'Not secure' in red, which is today only used for broken HTTPS.

The other reason Google is dragging the web towards HTTPS is to support its push for developers to adopt progressive web apps through JavaScript 'service workers'. These sit between the browser and network to enable offline and background syncing features and require HTTPS to be enabled.

According to Google's HTTP Transparency Report, over half of all pages are viewed over HTTPS on the desktop. For Chrome OS, 71 percent of pages are loaded over HTTPS, while 58 percent are for Chrome on Windows. While it is becoming more common for sites to enable HTTPS, dozens of the world's most popular sites still have not.

Read more about Chrome and browsers

• Does anyone actually use (or even know about) Microsoft's Edge browser?
• Chrome browser's 'secure' isn't the same thing as 'safe'
• Google: Requests for users' data have soared, so we need new cross-border rules
• Chrome: Is ad giant Google about to roll out in its own ad blocker?
• Firefox drops its Aurora Channel, moving the Developer Edition to the beta version