HTTP Websites will be Labeled as not Secure

img_not_secure_http_main

Just recently we discussed the new rules according to which Google treats 301 and 302 redirects. These changes clearly show that Google continues to encourage all website owners to switch from HTTP Websites to HTTPS. In support of this, there is news that was published in the Official Google Security blog in early September: to make the online environment more secure, Chrome will mark connection security with a special icon in its browser address bar.

Moving To HTTP Websites

Since January 2017, starting with Chrome 56, all the HTTP sites that deal with passwords or credit card data will be indicated as non-secure. This approach is a part of a long-term strategy to label all HTTP websites in such a way.

Now Chrome uses a neutral indicator to inform users that HTTP protocol is used and the site is not secure enough.  When a website is loaded over HTTP, there is a high risk that someone can modify the data before it gets to the users. Read more here.

The transition to HTTPS will become not a recommendation but a requirement soon. As noted in the official report, a large part of web traffic has been switched to HTTPS, and the number of websites using HTTPS is steadily increasing. One of the more recent achievements is that more than half of Chrome desktop pages were loaded over HTTPS.

According to researchers, users do not consider the lack of a “secure” icon as a warning, but also users stop paying attention to warnings that appear too often. Google’s plan to mark HTTP websites more explicit as non-secure will be implemented in several steps, based on increasingly strict criteria. In January 2017, Chrome 56 will mark HTTP pages where users have to enter passwords or their credit card data as "not secure," considering their vulnerable nature.

Later HTTP warnings will be expanded. There are plans to label HTTP pages as “not secure” in the Google Chrome Incognito mode, where users may expect more security and privacy. The ultimate objective is to mark all HTTP pages as non-secure, and replace the HTTP security icon with the red triangle:

img_not_secure_http

In real practice, some online stores implement HTTPS for the checkout area only, where passwords and credit cards data are transmitted. But according to the information above, all HTTP and HTTPS websites with mixed content will also fall into that category and will be marked as non-secure.

As we can see, Google continues to implement its plans concerning HTTPS. Conditions for HTTP are gradually getting stiffer. But there is enough time to implement the necessary changes if required.