The HTTPS protocol is an upgraded version of HTTP that’s far more secure and enables a large number of new features, as well as making development and implementation a bit easier. Despite all of this, whether for price reasons or because of the way some websites are set up, many webmasters still run an HTTP backend for their sites. According to Google, about half of traffic served via Chrome these days is based on HTTPS, but they would like to see that figure increased. Google Chrome and the open-source Chromium project that its changes come from, have been cracking down on less-secure web solutions lately, and a move away from HTTP is the latest in a long series of security-minded changes to Chrome’s backend. While Chrome will not be outright disabling HTTP sites any time soon, they will begin marking those sites as ‘not secure’, so users know of the dangers and can think twice before performing sensitive operations on them.
The move will start off in January, when version 56 of Chrome officially drops. Normally, only sites that have known insecurities, like out-of-date protocols, signs of a breach, or invalid certificates are treated as ‘not secure’. When a user stumbles onto an insecure site, Chrome warns them by putting a “Not Secure” label in the omnibox, next to the URL. With the upcoming change, this warning will be shown when a user goes on any site that asks for a login or any kind of private information while still using HTTP as a backend. Users will be able to navigate the page freely and use all of its features as normal, but the insecure warning may make users think twice before putting in that password; sites with HTTPS as a backend can use more modern framework additions and other developments, and are generally less susceptible to data breaches.
As the builds of Chrome roll on, Google’s plan is to eventually mark all HTTP sites as not secure in a very prominent way. From there, the change will find its way into incognito mode, and in the final phase, Google will be using the same red icon to warn of HTTP pages that it currently uses to mark HTTPS pages whose security looks to have been compromised. Google’s stance toward old and insecure platforms and services is growing more and more stringent, and warning users of HTTP’s insecurity is sure to be only the first of many moves toward a more secure experience.