Google will label HTTP sites as non-secure from January

9 September 2016

Google has announced that it will be marking websites that process sensitive information without HTTPS as “non-secure” in Chrome from January 2017. This is part of Google’s goal to adopt HTTPS as the new standard.

What will change, exactly?

The security indicators have already been updated in the current version of Chrome, version 53, in order to more clearly inform visitors about the (non-)security of a connection to a website. A non-secure connection still shows a neutral notification, although an information button (labelled “i”) has been added. In version 56, Google will take things one step further by adding the text “Not Secure” as well. The image below shows how a website without SSL is currently displayed and what it will look like from January 2017.

In version 56, only HTTP sites that process personal information, e.g. passwords and credit card information, will receive a notification. In the long run, it is Google’s intention to display this notification for all HTTP websites, even those without forms to fill in. This notification will stand out a lot more because of its red colour and the inclusion of a warning triangle.

It is already possible to see how HTTP will soon be displayed by changing a setting in the Chrome browser: via chrome://flags, go to “Mark non-secure origins as non-secure Mac, Windows, Linux, Chrome OS, Android” and select the “Mark non-secure origins as non-secure” option.

Why implement these changes?

Google has been hard at work to promote the use of SSL certificates for quite a while, because this leads to a safer internet. For several years now, for example, the use of HTTPS throughout a website has been a factor in a website’s ranking in Google’s search results. Google also discourages the use of outdated certificates.

Google claims that, partly thanks to these measures, a large part of internet traffic has transitioned to HTTPS and that the use of HTTPS continues to rise. Chrome is the most-used web browser these days and more than half of the desktop Chrome visits are already made via HTTPS. Since the publication of the “HTTPS on Top sites” report in February of this year, twelve new websites from the top 100 have adopted HTTPS as the new standard.

Google hopes to see other browser developers adopt these new icons as well. Mozilla is expected to take its browser Firefox in a similar direction.