What happened to HTTP and HTTPS in Chrome?
Chrome users who run version 69.x of the web browser will notice that Google changed how the address of webpages is displayed in the browser.
Chrome displayed the scheme, the http:// or https:// part of the address, previously in front of the address which highlighted the type of connection, e.g. a secure connection using encryption for https, to the user.
Starting with Chrome 69, Chrome omits http and https from the address. and replaced "secure" with a lock icon for https sites.
Update: It seems that Google reverted the change in Chrome 69. It is still the status quo in Chrome Canary though.
Google announced in 2018 that it would make changes to how the company's web browser Chrome would display the scheme and address of websites.
Google would remove the protocol from the address bar in Chrome for the desktop and Chrome for Android from Chrome 69 on. The "secure" label would be removed as well from Chrome leaving just a lock icon for a period of time in its place before it would be removed as well.
To summarize: Instead of displaying the full web address, which includes the scheme and the entire URL, Chrome displays only a lock icon and the URL in the browser's address bar.
Sites that use http, which is less secure and private, won't show the http:// scheme as well anymore but they will have an (i) icon placed in front of the address that indicates to users that the connection is not secure. Starting October 2018, sites that still use http will have a "not secure" label added next to their addresses in the Chrome address bar.
The change happens in Chrome 69 which is available on the Beta channel right now. The changes will hit the stable channel of the web browser in September 2018. The stable channel is used by the bulk of users and it will be interesting to see how they will react to the change.
- http:// -- removed from Chrome. Chrome displays an (i) icon and eventually a "not secure" label.
- https:// -- removed from Chrome. Chrome displays a "secure" label, eventually a "lock icon". Plans are underway to remove the lock icon in the future as well.
Note: Activation of the address bar and using the cursor afterward displays the scheme if the site uses https. Nothing is added when the site uses http.
Why is Google making the change?
One of the main reasons for making the change is the idea that https should be the default nowadays and that all sites should use it. So, instead of highlighting sites that use https with "secure" or another indicator, Google decided that it would be best to display nothing at all eventually as it should be the default for the majority of sites.
The company makes the change gradually, first by removing the "secure" indicator and the https scheme, then by removing the lock icon that replaced the two labels.
For sites that do use http it is the other way round. While Google will remove http from the address as well, it will indicate to users that the connection to the site is not secure.
How to undo the change?
Chrome users who run version 69 or newer of the browser can undo the change at this point in time. The option is powered by an experimental flag that may be removed by Google at any point in time.
For now though, it is possible to restore the display of the scheme and trivial subdomains.
- Load chrome://flags/#omnibox-ui-hide-steady-state-url-scheme in the browser's address bar.
- Select disabled.
- Load chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains
- Select disabled.
- Restart Chrome.
Now You: What is your take on the change?
Using Version 69.0.3497.72 (Official Build) beta (64-bit) of Chrome under Windows 10 x64 Home shows Ghacks site correctly showing just the lock. However clicking on the lock shows a connection secure message, as well as certificate valid, 3 cookies in use, and a link to site settings. With no icon planned for the future, I wonder if the blank space to the left of the first tab will show this information for the active tab?
Good question. I don’t know how Google plans to address this, or at all.
To dig a little deeper, I suspect Google is pushing for https (eg downranking http sites…) not because it believes in universal good, but because it’s at war with internet service providers on the question of who will have absolute control over the internet (see the net neutrality war too). Https kills lots of potential abuse from internet service providers (some forms of spying/censoring/injecting).
But this has good side effects for us.
Google and Symantec are in a battle.
Most users are ‘bottom feeders’ and unaware of the implications of certificates. All they want is to be able to post their photos, read gossip and watch cat videos. They don’t want to know how it works. If the computer fails, they take it to the shop. It comes back repaired but nothing changes their click-anything habits. However, a big red warning ‘Insecure website’ will probably alarm a lot of users, potentially turning them away from websites. Those website owners face a decision, stay with Symantec-based certificates and lose traffic or switch and recover previous traffic.
Symantec hit back with blogs like the following
It’s a bit like David Vs Goliath with David restricted to grains of sand and no slingshot.
Bullshit. Every decision designed to hide information is a bad design.
In current status quo, Google has the power to pull such things and I don’t mid it at all. As long as it is in the right direction. Before Google in order such a change to take effect we would need eons.
@Deo et Patiae: ” As long as it is in the right direction”
And there’s the rub. Why should Google be the one to decide what “the right direction” is? I’m sure I’m not the only one who thinks they can’t be trusted on this.
I don’t really care, I use a VPN! :)
I really don’t care, as I don’t use Chrome and never will. My fear is that other browsers will copy them.
Using a VPN doesn’t protect you or the site you’re trying to get to from Man-in-the-Middle attacks. Only SSL can guarantee that the server you’re trying to reach is the server you are actually talking to.
It’s the continuation of an extremely stupid idea combined with an effort to exert control over internet users. First they took away the http indicator. Next they move on two fronts, taking away https and taking away the path after the domain. In the end, the user will be completely prevented from having any knowledge at all of what site or page they are viewing, or any ability to change it either. The address bar will be gone, there will be no links on the page, no bookmark bar, no way to have any input whatsoever on what is displayed on your screen. Only then, when the computer has reverted to bring a non interactive TV, will they be content.
What is your take on the change?
A nudge down the path to blind trust in the wonderland of Google. And Joe Average won’t notice.
First they came for the HTTP scheme, and I didn’t speak up. Then they came for the little green lock… ;)
What if a site is for example: https://www.ghacks.net vs https://ghacks.net ? Will both of them show the same way? o_0 That will be an epic blunder.
www. is still shown, isn’t it?
No it isn’t in my Chrome 69. https://opennet.ru/ and https://www.opennet.ru/ appear the same in the address bar unless I press Alt+D and then left or right arrow key to unhide it.
How is the change going to affect sites using EV certificates such as banks or organisations connected to them such as this one: https://www.ideal.nl/
When visiting such sites the name of organisation appears on the left hand side of the location bar along with the lock symbol. Personally, I wouldn’t be too happy about it if I couldn’t instantly verify that the site I’m connected to is the one I intended where financial transactions are concerned.
The ultimate goal of these changes in web browser display from Google is leading to a secure environment for websites on the Internet. Being a secure website, you don’t need to display any security badges or padlock on your website per Google upcoming policy. And it is going to be a game changer for all browsers and they will change their stand for security.
@ Jim Aron,
The problem is a secure site doesn’t mean it’s safe. Since the advent of the Let’s Encrypt CA anyone can obtain a free SSL secured certificate including the bad guys. Removing the lock symbol and EV certification implies that users will have to scrutinize sites much more closely especially if they’re intending to conduct financial transactions: https://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html
what should I do if I have a intranet website?
it’s shows me that site is insecure.
I am using a vpn to connect to domain.
when I open a website in my domain – from my intranet it shows me that is not secure.
what should I do?
you need to pay for a security certificate that enables https communication. Not a bit deal. I’m not sure why secure matters if all you are doing is browsing some internal web site. Our church web site is “insecure”, and no one really cares…
Generate your own certificate and tell all the machines on your network to trust your CA. Problem solved and no money spent.
Bad idea, why hide information?
The company where I work for has an intranet website is using HTTP, and Chrome marks as insecure and some times refueses to display.
The company uses across all LAN devices (servers, desktop PCs, latops, firewalls) Trend Micro Office Scan so it doesn’t need an intranet with HTTPS.
First take away the bar menu, the page title is gone, then some options like “open” are hiden, etc.
So the future browser will be a “kiosk browser”, no menu, no address bar, no options, all hiden.
Yes you do need HTTPS. I could hijack your users and show them a fake version of your Intranet site by DNS/ARP poisoning/spoofing your WiFi access point from the parking lot. Your users will have no idea that my fake server is fake because you have trained them to trust the host by name only, no certificate required.
If you don’t want to spend $7 then you can just make your own CA and issue a certificate for the server, then tell your machines to only trust your CA for that certificate, effectively putting the banhammer on any copy of your site not approved and signed by your CA. (This might come across as sarcastic if you’re not aware of how easy it is to create a CA and issue a certificate. I am not being sarcastic.)
SSL’s first purpose is to guarantee the identity and authority of your host and the integrity of the data coming from it.
if you double click in the address bar you will see the full address including https://www.
If you don’t like the new design, set “chrome://flags/#top-chrome-md” to ‘normal’.
If you want to keep seeing http and https, set “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains” to ‘disabled’.
(Thanks to @lekozz on tweakers.net)
Using “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains”=”disabled” got my https back, but http is still hidden. Screenshot:
According to bleepingcomputer this morning Google proposes to remove the www subdomain from the search results as well now: https://www.bleepingcomputer.com/news/google/google-testing-removal-of-www-subdomain-from-search-results/
This option in v76 is now called chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains.
Obnoxious…. We don’t need Google controlling what we see. Hello Firefox.
When they officially remove the padlock, will there still be a way to easily access site cookies, site settings, and the other info Chrome gives when you press the padlock icon?