Chrome already marks HTTP pages as “Not secure” in the Omnibox when entering in passwords or financial information, and as of October 2017, the list of times HTTP pages will have the warning displayed will be increasing. Any page where a user is typing anything at all, be it a forum post or a captcha, will be marked as insecure if it hasn’t migrated to HTTPS by October. The same goes for all HTTP pages in Incognito mode, warning users that browsing in Incognito mode does not mitigate all possible security risks.
According to the Chromium team, the reason for the warning in Incognito mode is to let users know that their expectations of increased privacy and security when browsing in Incognito mode are unlikely to be met by HTTP pages, since the protocol makes it fairly easy for anybody on the same network as the user or the hosted content to see what they’re doing. Pages will now also be marked as “Not secure” while users are performing any sort of data entry through an HTTP web page, for the same reason. Since anybody on the same network as the user or the content could potentially intercept that data input, it’s not a very secure way of doing things, even if the data you’re inputting is something fairly mundane.
This is just the latest step in Chrome’s campaign to warn users of the dangers of sites using the HTTP protocol. The mission started with marking HTTP websites as “Not secure” when there was password entry or the input of financial information going on, back when version 56 of Chrome dropped. When the changes outlined above occur in October, Chrome is projected to be on version 62. The final phase of Google’s plan will see all HTTP web pages marked as “Not secure” at all times. At that point, as it is right now, users are still free to use the websites as they please, without even having to pass through a security nag screen, but should take heed that their activity on the network is unsecured, and can be seen by anybody with sufficient knowledge who happens to be on the same network.