Chrome 68 marks all HTTP websites as Not Secure

Martin Brinkmann
Feb 9, 2018
Google Chrome
|
20

Google announced yesterday that the company's web browser Google Chrome will mark HTTP sites as insecure in Chrome 68 Stable.

The current stable version of Chrome displays an i-icon next to the website address if the site uses HTTP and not HTTPS. HTTPS sites are marked as "secure" in the web browser currently.

Chrome users who click on the icon receive the message "your connection to this site is not secure" and that they should not enter any sensitive data because it can be stolen by attackers.

Google Chrome marks some HTTP sites as not secure already. This is the case for web pages that have password or credit card number fields. Websites with these fields are marked as not secure by the browser since Chrome 56 released in January 2017.

google chrome 68 not secure http

Google Chrome 68 will mark any HTTP site as insecure. Google plans to release Chrome 68 Stable in July 2018.

Webmasters have until then to migrate their sites from using HTTP to HTTPS. Google gives sites that use HTTPS a small boost but that becomes less of a factor as more and more sites start to use HTTPS.

Visitors trust in sites that use HTTP may drop however because of the "not secure" attribute displayed in the browser.

Google notes that 68% of all traffic on Android and Windows, and 78% of all traffic on Chrome OS and Mac OS X is protected by HTTPS already and that the numbers increased significantly in the last year.

Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.

Chrome users who run development builds can enable the functionality right now in the browser. Just load chrome://flags/#enable-mark-http-as in the browser, click on default and set the preference to enabled. Some development versions of Chrome show the "not secure" flag automatically.

Now You: How do you handle HTTP sites?

Related articles

Summary
Chrome 68 marks all HTTP websites as Not Secure
Article Name
Chrome 68 marks all HTTP websites as Not Secure
Description
Google announced yesterday that the company's web browser Google Chrome will mark HTTP sites as insecure in Chrome 68 Stable.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. JC said on February 10, 2018 at 8:25 pm
    Reply

    A noob question: for a message board/forum in HTTP, can your ISP and everything in between see what you’re doing, what you’re writing (if you’re about to post a message/thread), what you’re seeing, your private messages… everything?

    If so, that’s pretty bad then. And there’s a lot of sites such as these that still uses HTTP.

    1. Anonymous said on February 11, 2018 at 5:49 pm
      Reply

      Yes, you should also know that it’s true of your e-mails, which can sometimes be read along the way and always by your and your recipient mail service providers (MSP ?), e.g. Google. Unless you use end-to-end encrypted MSP such as ProtonMail.com, in which case the eventual weakness is your recipient’s MSP.

    2. Imbecilator said on February 11, 2018 at 2:26 pm
      Reply

      > A noob question: for a message board/forum in HTTP, can your ISP and everything in between see what you’re doing, what you’re writing (if you’re about to post a message/thread), what you’re seeing, your private messages… everything?

      Yes, including your username and password, your cookies, … everything.

  2. Stefan said on February 9, 2018 at 10:08 pm
    Reply

    Tons of known sites still use HTTP. Can’t wait until the day all browsers block such sites by default…..and the user can’t unblock them.

    1. John Fenderson said on February 9, 2018 at 10:23 pm
      Reply

      @Stefan

      Any browser that takes it on itself to decide what sites I am or am not allowed to view (regardless of the reason) is a broken browser that is not suitable for use, period.

      Warning? Fine. Blocking? Way over the line.

  3. Bobby Phoenix said on February 9, 2018 at 2:34 pm
    Reply

    The sites I see that are HTTP are basic sites like forums or blogs. No real reason to need HTTPS on sites like that. I don’t recall any HTTP sites that require person data. Most I visit are simple user name, password, and email to be able to post comments, and be notified of replies. Since passwords are different for every site I use, and the email is a throwaway for sites like that, I have no fear of a hack since all that would be gained can’t be used against me for anything since it was for that one site only.

    1. Jessica said on February 9, 2018 at 5:06 pm
      Reply

      You’re not thinking this through. HTTPS encrypts the connection while in transit which safeguards the user from a lot of risks even if no direct publication of private data is ever made by them. Of course, HTTPS by itself isn’t sufficient but it is necessary nonetheless.

    2. HTTPS is NOT just about security said on February 9, 2018 at 3:35 pm
      Reply

      You’re contradicting yourself, “like forums” means they require personal data to be transmitted to login, yet you claim the opposite.

      In any case, it is NOT the case that the only advantage of HTTPS is the security of the data in transit, as anyone can deduce.

      1. Bobby Phoenix said on February 9, 2018 at 5:19 pm
        Reply

        I know, and understand, it’s about more than just security. I was only speaking for myself, and I didn’t contradict myself. If I use a onetime fake name and onetime throwaway email with a onetime password there is nothing on that forum that someone can do research on to find personal information. This is very basic of what I’m talking about, so please don’t go into it deeper like saying an IP address can be found, or I can be traced from that forum. I’m simply talking about hacks. As in someone dumped all user names, emails, and passwords from a breach on a HTTP forum. Seeing my info is not going to go far if someone tries to use that same info on sites like a bank site.

      2. Anonymous said on February 9, 2018 at 5:44 pm
        Reply

        With HTTP, your ISP knows everything you do on that forum. Your ISP know your true identity on top of that, and if you’re in the US they also inject JS into your pages and I think they sell your data to third parties, unless this is a future thing not voted yet.

        With HTTPS, your ISP only knows you visit the forum, but not what you do on it, and they can’t inject anything.

  4. TelV said on February 9, 2018 at 2:10 pm
    Reply

    While it’s commendable that Google is taking these steps they also need to point out that “Secure” doesn’t necessarily mean “Safe” otherwise they’re generating a false sense of security.

    Ever since Let’s Encrypt first appeared on the market by which anyone, including the criminal element can obtain SSL certificates free of charge the lock symbol no longer guarantees that data entered on an SSL enabled site won’t be used for nefarious purposes. That was highlighted on the Trend Micro blog a couple of years ago: https://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-being-abused-by-malvertisers/

    1. Imbecilator said on February 11, 2018 at 2:24 pm
      Reply

      That’s because HTTPS only guarantees that no one other than the website you’re communicating with can see what you’re doing, it’s doesn’t guarantee that you’re talking to the right organization. That’s something that EV Certs do.

      1. John Fenderson said on February 13, 2018 at 7:29 pm
        Reply

        “That’s because HTTPS only guarantees that no one other than the website you’re communicating with”

        And, as others have noted, it doesn’t really “guarantee” that, due to the common use of MITM techniques. It just makes it much more likely.

  5. Atlas Baby said on February 9, 2018 at 10:39 am
    Reply

    And don’t forget to install the EFF’s HTTPS Everywhere addon to get automatically redirected to HTTPS if there’s a ruleset for it written (see [1] for all the rulesets) and have connections to HTTPS forced even if they aren’t on the preload list: https://www.eff.org/https-everywhere

    [1] : https://www.eff.org/https-everywhere/atlas/

  6. Anonymous said on February 9, 2018 at 10:19 am
    Reply

    Meanwhile, sites are still marked secure even though all their HTTPS content is unencrypted on Cloudflare’s servers which serve as middlemen for a large part of the web.

    1. jgrahamc said on February 9, 2018 at 1:51 pm
      Reply

      Of course “secure” doesn’t mean that all of your connection, from the initial server down to the user are encrypted.

      1. Anonymous said on February 9, 2018 at 4:51 pm
        Reply

        In other words, the lock is there to show you can trust the connection with your most private information: Only the company you’re communicating with will be able to decrypt it, be it your bank or some e-commerce website to which you give your credit card number.

        With a service Cloudflare we can no longer trust that it is what the lock says, because Cloudflare or Google Shield could be in between decrypting your traffic without us ever knowing you connected to either of them. (Unless we examine the headers we receive in developer tools, since Cloudflare adds a little distinctive bit)

      2. Anonymous said on February 9, 2018 at 4:42 pm
        Reply

        The lock with the green name precisely means that your communication with the company whose name is written up there is encrypted and only decrypted on their end. Cloudflare sits in between invisibly, decrypts that traffic in order to analyse it, and send it along to the company whose name is written up there (sometimes not even re-encrypted, but that’s another topic). Even your ISP can’t do that.

    2. Anonymous said on February 9, 2018 at 10:56 am
      Reply

      *decrypted, not just unencrypted

  7. Mark said on February 9, 2018 at 9:27 am
    Reply

    Hello Martin.
    First I’d like to add that I have been a reader of your site for quite awhile.
    Your articles have been very useful not only for myself, but to a group that I help admin on Facebook. I follow you there also.
    Speaking of which, I’ve noticed while sharing or coming to the site to copy/paste any recent material the page image (On the tutorial) doesn’t render the articles image.
    I’m not sure if it’s on my end or not…

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.