Chrome to start labeling HTTP connections as non-secure

Google is finally moving forward with its plan to discourage the use of HTTP sites by marking them as non-secure on Chrome.

The new warning will be rolled out very gradually: Beginning in January, Chrome 56 will mark HTTP sites that transmit passwords or credit cards as non-secure. Rather than using a red icon, the initial warning will simply say "Not secure" in grey.

At some later point, Google will take its warnings up a notch. First, it will label HTTP pages as "not secure" in incognito mode. Ultimately, Chrome will label all HTTP pages as not secure with the same red triangle icon it uses to indicate a broken HTTPS.

"Chrome currently indicates HTTP connections with a neutral indicator," Emily Schechter wrote in a blog post. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."

In spite of that, Google is deliberately rolling out the plan gradually, after considering it for years. Schechter noted that, according to studies, users become blind to warnings that appear too frequently. Google has taken other steps to encourage HTTPS use, such as using HTTPS as a positive ranking signal. In December 2015, it adjusted its indexing system to crawl for HTTPS equivalents of HTTP pages and prioritize them where they're available. The company recently hit a milestone, with more than half of Chrome desktop page loads now served over HTTPS.

Last month, Google implemented HTTP Strict Transport Security (HSTS) on the google.com domain to prevent users from navigating to its site using the insecure HTTP.