Google’s Chrome browser will be hitting version 68 on the stable channel in July of this year, and when it drops, it’s going to be labeling all non-encrypted, HTTP-based webpages as insecure. This means that users will see an exclamation point in the address bar, as shown in the picture below, and a warning that the site they’re on is insecure. If a user clicks on this prompt, they’ll be greeted by the same warning that currently adorns sites that are unencrypted and collect sensitive information, warning them not to enter any personal information on the site in question because it could be compromised.
To be clear, this does not cripple the functionality of Chrome on the site in any way. If your site is marked insecure, Chrome users will still be able to do anything on it that they would normally have done. They’ll just have a warning in their address bar, making them think twice before doing anything personal on the site, such as inputting credit card information to shop, tying an account at your site to one of their existing accounts, or filling out forms that ask for personal information.
This behavior started off slow back in 2016 and got aggressive with the release of Chrome version 56. From that point on, Chrome showed the Not Secure warning on any webpage that used HTTP instead of the encrypted HTTPS format to handle form data that could include sensitive information. Things have been steadily escalating from there. Currently, the browser does not completely block users from visiting any pages that aren’t outright malicious and proven as such. It does, however, show a full-page warning that has a prominent option to leave the page when users go to a page that has some kind of security risk that could indicate a bigger problem, such an expired or inaccurate SSL certificate. Users can navigate past this warning, but it requires opening up the advanced options on the warning page, meaning that most of the less technically inclined users out there will likely just heed the warning and leave the page. Webmasters who don’t upgrade to HTTPS could very well find themselves on similar ground, in due time.
