Chrome Will Mark HTTP Pages as Non-Secure on January 2017


One nifty function Chrome offers users of its web browser is an indicator that marks a connection as secure or non-secure via an icon in the address bar. Chrome has long refrained from labelling HTTP connections (HTTP Pages) as non-secure, traditionally marking them with a neutral indicator, which “doesn’t reflect the true lack of security for HTTP connections,” according to Google.

Typically, websites with a “HTTPS” before the the URL have an added layer of security. Loading HTTP websites, on the other hand provides potential intruders with opportunities to modify or peek at the site before a user can access it.

As such, the forthcoming Chrome 56 web browser will begin marking as “non-secure,” sensitive HTTP pages that collect passwords or ask for credit card information beginning next year, in January 2017. Users will also be notified when they are entering a website without a secure connection. Chrome’s move to label such pages as non-secure is great for security-conscious users of the world’s most popular web browser, as unencrypted HTTP is particularly vulnerable to man-in-the-middle attacks for login pages and payment forms.

The move should also incentivize more websites to transition to secure HTTPS servers. Two years ago, Google modified its search algorithm to privilege encrypted HTTPS websites. Transitioning to HTTPS has been a growing trend, fortunately, with more than half of Chrome page loads now being served over HTTPS. Since February 2016, 12 more of the top 100 most popular websites have also made the transition.

Because users tend to become blind to overly frequent warnings, Chrome has decided to roll out the “not secure” indicators gradually, beginning with HTTP login or payment form pages, which are the most sensitive.

In the following updates, Chrome will extend the warning to HTTP pages  in Incognito mode and eventually label all HTTP pages as unsecure using the red triangle icon.


Scroll to Top