In encryption push, Chrome flags HTTP sites as "not secure"

The warnings aim to push sites to adopt HTTPS to prevent snooping.
Written by Zack Whittaker, Contributor

(Image: ZDNet)

Chrome will today start marking sites that don't use HTTPS as "not secure."

First announced two years ago, Google said it would flag any site that still uses unencrypted HTTP to deliver its content in the latest version of Chrome, out Tuesday. It's part of the company's years-long effort effort to gradually nudge more webmasters and site owners into adopting HTTPS, a secure encryption standard for data in transit.

Any site that doesn't load with green padlock or a "secure" message in the browser's address bar will be flagged -- and shamed -- as insecure.

Read also: In security push, Chrome will soon mark every HTTP page as insecure

In simple terms, HTTPS provides security but also integrity. That green padlock means any data sent from your computer or device to that website and vice versa is transmitted securely and can't be intercepted by an attacker. Because HTTPS wraps an encrypted tunnel around the site and anyone who visits it, users also know that the site hasn't been modified in any way by anyone other than the website owner.

That means even if you're on a public and unsecured Wi-Fi hotspot, accessing an HTTPS site can shield your network traffic from anyone snooping on the network.

For years, HTTPS used to be limited to banks and major e-commerce sites. But now it's for everyone -- including news sites and social networks and even blogs. And thanks to the prevalence of free-to-own HTTPS certificates from groups like Let's Encrypt, there's been no greater excuse to make the jump.

Best Google Chrome extensions to enhance your productivity, security, and performance

Yet, according to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure."

Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP.

Of the top million sites, a little over half do not redirect to HTTPS.

When you next update your Chrome browser, you'll start to see the warnings.

Chrome currently has about 60 percent of the overall browser usage share, statistics show, meaning marking sites as "not secure" will have some pulling power. Just overnight, several HTTP-only sites made the switch to HTTPS to escape being named and shamed by the browser.

Read also: 10 tips to help you get the most out of Google Chrome - TechRepublic

But HTTPS isn't a golden shield for web security. It doesn't mean that data you submit to a site -- like files, photos, or messages -- is stored securely at rest and is immune from breaches.

The current browser version, Chrome 68, also comes with tab under-blocking and better keystroke handling in full-screen mode. Chrome 70, which is slated for October, will go one step further and mark "not secure" sites in red to warn of the dangers.

Editorial standards