Google Chrome Will Soon Mark All HTTP Connections as Insecure

Insecure Pages Will Trigger Warnings in Google Chrome

In Google’s latest effort to protect its users, Google will start marking all HTTP connections as insecure. Their plan goes into effect January with the release of Chrome 56. The plan will roll out in stages, and Chrome will display a “not secure” warning before HTTP URLs in the browser’s address bar for pages which contain password or credit card fields.

HTTP, or HyperText Transfer Protocol, is used to send and receive web pages. Research into HTTP began in 1989, but it is still widely used today. An important fact about HTTP is that all data sent using it is sent in plain text; usernames and passwords included. The internet was not built with security with mind, and early protocols were built simply to send data reliably.

"Websites like Amazon and PayPal would not exist if customers could not trust that their data was safe on the web."

HTTPS, or HTTP Secure, is a more secure alternative. HTTPS uses what are known as certificates to encrypt web pages. As mentioned, without using HTTPS, anyone on your network or between your computer and the website you are visiting, may be able to see your data. The use of encryption has heavily affected the growth of e-commerce in the past decade. Websites like Amazon and PayPal would not exist if customers could not trust that their data was safe on the web.

Google’s multi-step plan will first label HTTP pages as not secure when using Chrome’s Incognito mode. At some point, Chrome will mark all HTTP pages (not just those with credit card and password fields) as non-secure and switch the security indicator from the simple “i” in a circle to a red triangle.

Google’s choice to only mark insecure pages using credit card or password fields (for now) is an agreeable move, delaying fears that they would mark all HTTP sites (like our own) with their terrible red triangle immediately. Google Chrome’s overwhelming 50% plus market share can be a death flag for smaller web sites that can’t afford (or install) an HTTPS certificate. This has been less of a problem with the recent Let’s Encrypt movement, but HTTPS is not a magic bullet. Rogue certificates and certificate authorities, stolen private keys, and other problems plague encryption, and need their own forms of security.