What happened to HTTP and HTTPS in Chrome?

Martin Brinkmann
Sep 3, 2018
Updated • Aug 2, 2019
Google Chrome
|
33

Chrome users who run version 69.x of the web browser will notice that Google changed how the address of webpages is displayed in the browser.

Chrome displayed the scheme, the http:// or https:// part of the address, previously in front of the address which highlighted the type of connection, e.g. a secure connection using encryption for https, to the user.

Starting with Chrome 69, Chrome omits http and https from the address. and replaced "secure" with a lock icon for https sites.

Update: It seems that Google reverted the change in Chrome 69. It is still the status quo in Chrome Canary though.

Google announced in 2018 that it would make changes to how the company's web browser Chrome would display the scheme and address of websites.

Google would remove the protocol from the address bar in Chrome for the desktop and Chrome for Android from Chrome 69 on. The "secure" label would be removed as well from Chrome leaving just a lock icon for a period of time in its place before it would be removed as well.

To summarize: Instead of displaying the full web address, which includes the scheme and the entire URL, Chrome displays only a lock icon and the URL in the browser's address bar.

Sites that use http, which is less secure and private, won't show the http:// scheme as well anymore but they will have an (i) icon placed in front of the address that indicates to users that the connection is not secure. Starting October 2018, sites that still use http will have a "not secure" label added next to their addresses in the Chrome address bar.

chrome new not secure http

The change happens in Chrome 69 which is available on the Beta channel right now. The changes will hit the stable channel of the web browser in September 2018. The stable channel is used by the bulk of users and it will be interesting to see how they will react to the change.

  • http:// -- removed from Chrome. Chrome displays an (i) icon and eventually a "not secure" label.
  • https:// -- removed from Chrome. Chrome displays a "secure" label, eventually a "lock icon". Plans are underway to remove the lock icon in the future as well.

Note: Activation of the address bar and using the cursor afterward displays the scheme if the site uses https. Nothing is added when the site uses http.

Why is Google making the change?

One of the main reasons for making the change is the idea that https should be the default nowadays and that all sites should use it. So, instead of highlighting sites that use https with "secure" or another indicator, Google decided that it would be best to display nothing at all eventually as it should be the default for the majority of sites.

The company makes the change gradually, first by removing the "secure" indicator and the https scheme, then by removing the lock icon that replaced the two labels.

For sites that do use http it is the other way round. While Google will remove http from the address as well, it will indicate to users that the connection to the site is not secure.

How to undo the change?

chrome hide http https

Chrome users who run version 69 or newer of the browser can undo the change at this point in time. The option is powered by an experimental flag that may be removed by Google at any point in time.

For now though, it is possible to restore the display of the scheme and trivial subdomains.

  1. Load chrome://flags/#omnibox-ui-hide-steady-state-url-scheme in the browser's address bar.
  2. Select disabled.
  3. Load chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains
  4. Select disabled.
  5. Restart Chrome.

Now You: What is your take on the change?

Summary
What happened to HTTP and HTTPS in Chrome?
Article Name
What happened to HTTP and HTTPS in Chrome?
Description
Chrome users who run version 69.x of the web browser will notice that Google changed how the address of webpages is displayed in the browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Jason said on November 27, 2019 at 3:30 am
    Reply

    When they officially remove the padlock, will there still be a way to easily access site cookies, site settings, and the other info Chrome gives when you press the padlock icon?

  2. Jake said on August 9, 2019 at 8:41 pm
    Reply

    Obnoxious…. We don’t need Google controlling what we see. Hello Firefox.

  3. Artem Russakovskii said on August 2, 2019 at 1:50 am
    Reply

    This option in v76 is now called chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains.

  4. TelV said on September 22, 2018 at 2:35 pm
    Reply

    According to bleepingcomputer this morning Google proposes to remove the www subdomain from the search results as well now: https://www.bleepingcomputer.com/news/google/google-testing-removal-of-www-subdomain-from-search-results/

  5. LTL said on September 5, 2018 at 10:23 am
    Reply

    If you don’t like the new design, set “chrome://flags/#top-chrome-md” to ‘normal’.

    If you want to keep seeing http and https, set “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains” to ‘disabled’.

    (Thanks to @lekozz on tweakers.net)

    1. Ross Presser said on September 7, 2018 at 7:53 pm
      Reply

      Using “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains”=”disabled” got my https back, but http is still hidden. Screenshot:
      https://www.screencast.com/t/aXbYiEWQRqJ8

  6. Anonymous said on September 5, 2018 at 6:15 am
    Reply

    if you double click in the address bar you will see the full address including https://www.

  7. alvalongo said on September 4, 2018 at 4:05 pm
    Reply

    Bad idea, why hide information?
    The company where I work for has an intranet website is using HTTP, and Chrome marks as insecure and some times refueses to display.
    The company uses across all LAN devices (servers, desktop PCs, latops, firewalls) Trend Micro Office Scan so it doesn’t need an intranet with HTTPS.
    First take away the bar menu, the page title is gone, then some options like “open” are hiden, etc.
    So the future browser will be a “kiosk browser”, no menu, no address bar, no options, all hiden.

    1. Robert Talada said on August 14, 2019 at 1:48 am
      Reply

      Yes you do need HTTPS. I could hijack your users and show them a fake version of your Intranet site by DNS/ARP poisoning/spoofing your WiFi access point from the parking lot. Your users will have no idea that my fake server is fake because you have trained them to trust the host by name only, no certificate required.

      If you don’t want to spend $7 then you can just make your own CA and issue a certificate for the server, then tell your machines to only trust your CA for that certificate, effectively putting the banhammer on any copy of your site not approved and signed by your CA. (This might come across as sarcastic if you’re not aware of how easy it is to create a CA and issue a certificate. I am not being sarcastic.)

      SSL’s first purpose is to guarantee the identity and authority of your host and the integrity of the data coming from it.

  8. Anonymous said on September 4, 2018 at 2:30 pm
    Reply

    Hi
    what should I do if I have a intranet website?
    it’s shows me that site is insecure.
    I am using a vpn to connect to domain.
    when I open a website in my domain – from my intranet it shows me that is not secure.

    what should I do?

    Doron

    1. Robert Talada said on August 14, 2019 at 1:39 am
      Reply

      Generate your own certificate and tell all the machines on your network to trust your CA. Problem solved and no money spent.

    2. scott said on September 4, 2018 at 6:23 pm
      Reply

      you need to pay for a security certificate that enables https communication. Not a bit deal. I’m not sure why secure matters if all you are doing is browsing some internal web site. Our church web site is “insecure”, and no one really cares…

  9. Jim Aron said on September 4, 2018 at 2:30 pm
    Reply

    The ultimate goal of these changes in web browser display from Google is leading to a secure environment for websites on the Internet. Being a secure website, you don’t need to display any security badges or padlock on your website per Google upcoming policy. And it is going to be a game changer for all browsers and they will change their stand for security.

    1. TelV said on September 4, 2018 at 6:00 pm
      Reply

      @ Jim Aron,

      The problem is a secure site doesn’t mean it’s safe. Since the advent of the Let’s Encrypt CA anyone can obtain a free SSL secured certificate including the bad guys. Removing the lock symbol and EV certification implies that users will have to scrutinize sites much more closely especially if they’re intending to conduct financial transactions: https://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

  10. TelV said on September 4, 2018 at 12:01 pm
    Reply

    How is the change going to affect sites using EV certificates such as banks or organisations connected to them such as this one: https://www.ideal.nl/

    When visiting such sites the name of organisation appears on the left hand side of the location bar along with the lock symbol. Personally, I wouldn’t be too happy about it if I couldn’t instantly verify that the site I’m connected to is the one I intended where financial transactions are concerned.

  11. Jeff said on September 4, 2018 at 10:59 am
    Reply

    What if a site is for example: https://www.ghacks.net vs https://ghacks.net ? Will both of them show the same way? o_0 That will be an epic blunder.

    1. Martin Brinkmann said on September 4, 2018 at 12:00 pm
      Reply

      www. is still shown, isn’t it?

      1. Jeff said on September 5, 2018 at 4:55 pm
        Reply

        No it isn’t in my Chrome 69. https://opennet.ru/ and https://www.opennet.ru/ appear the same in the address bar unless I press Alt+D and then left or right arrow key to unhide it.

  12. ShintoPlasm said on September 4, 2018 at 7:17 am
    Reply

    First they came for the HTTP scheme, and I didn’t speak up. Then they came for the little green lock… ;)

  13. basicuser said on September 4, 2018 at 3:21 am
    Reply

    What is your take on the change?

    A nudge down the path to blind trust in the wonderland of Google. And Joe Average won’t notice.

  14. Ross Presser said on September 4, 2018 at 2:39 am
    Reply

    It’s the continuation of an extremely stupid idea combined with an effort to exert control over internet users. First they took away the http indicator. Next they move on two fronts, taking away https and taking away the path after the domain. In the end, the user will be completely prevented from having any knowledge at all of what site or page they are viewing, or any ability to change it either. The address bar will be gone, there will be no links on the page, no bookmark bar, no way to have any input whatsoever on what is displayed on your screen. Only then, when the computer has reverted to bring a non interactive TV, will they be content.

  15. DenialofService said on September 4, 2018 at 12:46 am
    Reply

    I don’t really care, I use a VPN! :)

    1. Robert Talada said on August 14, 2019 at 1:37 am
      Reply

      Using a VPN doesn’t protect you or the site you’re trying to get to from Man-in-the-Middle attacks. Only SSL can guarantee that the server you’re trying to reach is the server you are actually talking to.

    2. John Fenderson said on September 5, 2018 at 10:33 pm
      Reply

      @DenialofService

      I really don’t care, as I don’t use Chrome and never will. My fear is that other browsers will copy them.

  16. Deo et Patiae said on September 3, 2018 at 11:34 pm
    Reply

    In current status quo, Google has the power to pull such things and I don’t mid it at all. As long as it is in the right direction. Before Google in order such a change to take effect we would need eons.

    1. John Fenderson said on September 5, 2018 at 10:32 pm
      Reply

      @Deo et Patiae: ” As long as it is in the right direction”

      And there’s the rub. Why should Google be the one to decide what “the right direction” is? I’m sure I’m not the only one who thinks they can’t be trusted on this.

  17. Yuliya said on September 3, 2018 at 9:21 pm
    Reply

    imgur.com/tSzha7n
    Good design!

    1. Ross Presser said on September 4, 2018 at 2:58 am
      Reply

      Bullshit. Every decision designed to hide information is a bad design.

      1. lehnerus2000 said on September 4, 2018 at 3:24 pm
        Reply

        Agreed.

  18. Anonymous said on September 3, 2018 at 9:04 pm
    Reply

    To dig a little deeper, I suspect Google is pushing for https (eg downranking http sites…) not because it believes in universal good, but because it’s at war with internet service providers on the question of who will have absolute control over the internet (see the net neutrality war too). Https kills lots of potential abuse from internet service providers (some forms of spying/censoring/injecting).

    But this has good side effects for us.

    1. Walter said on September 3, 2018 at 11:59 pm
      Reply

      Google and Symantec are in a battle.
      https://duckduckgo.com/?q=google+vs+semantec&atb=v127-3&ia=web

      Most users are ‘bottom feeders’ and unaware of the implications of certificates. All they want is to be able to post their photos, read gossip and watch cat videos. They don’t want to know how it works. If the computer fails, they take it to the shop. It comes back repaired but nothing changes their click-anything habits. However, a big red warning ‘Insecure website’ will probably alarm a lot of users, potentially turning them away from websites. Those website owners face a decision, stay with Symantec-based certificates and lose traffic or switch and recover previous traffic.

      Symantec hit back with blogs like the following
      https://www.symantec.com/blogs/threat-intelligence/apps-containing-aggressive-adware-found-google-play
      It’s a bit like David Vs Goliath with David restricted to grains of sand and no slingshot.

  19. chesscanoe said on September 3, 2018 at 8:59 pm
    Reply

    Using Version 69.0.3497.72 (Official Build) beta (64-bit) of Chrome under Windows 10 x64 Home shows Ghacks site correctly showing just the lock. However clicking on the lock shows a connection secure message, as well as certificate valid, 3 cookies in use, and a link to site settings. With no icon planned for the future, I wonder if the blank space to the left of the first tab will show this information for the active tab?

    1. Martin Brinkmann said on September 3, 2018 at 9:19 pm
      Reply

      Good question. I don’t know how Google plans to address this, or at all.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.