One small step for a browser, one giant leap for web security!

With the release of Chrome 68 we're seeing a fundamental shift in our expectations of security on the Web, we will now see the 'Not Secure' warning present on all sites that use HTTP!


A long time coming

This change may come as a surprise to some people, many people in fact, but it has been a long time in the making. Way back in September 2016 Emily Schecter wrote about Moving towards a more secure web. In that blog she detailed how Chrome was going to start marking HTTP pages as Not Secure if they contained password or credit card input fields, a very sensible move. Emily also re-iterated the upcoming change back in February 2018 in A secure web is here to stay so no one can say there hasn't been information about the coming changes!


http-not-secure-password


Those changes landed with Chrome 56 back in January 2017 and in the same post Emily also talked about changes that were coming in future releases.


In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.


http-bad


With the long term goal set out in that blog post, it shouldn't come as a surprise that to get there, Chrome was going to take smaller, incremental steps. This week, we're seeing the next step in that long term plan.


General progress

Alongside the impending changes from Chrome there have been countless other factors in our push towards an enrypted web and we've seen HTTPS deployed on a scale never before seen in history. For almost 3 years now I've been tracking the adoption of HTTPS in the top 1 million sites on the web and we've seen staggering progress.


https-sites


You can see that data in my latest report from Feb 2018 and next month the Aug 2018 report is due and I'm hoping to see even more awesome progress being made!


The Chrome UI changes

With the update from Chrome 67 to Chrome 68 you're going to see a subtle change to the UI for all HTTP sites. This is what one of my sites looks like in Chrome 67:


http-67


Here's what that same site is going to look like in Chrome 68:


http-68


That's only a small change, and that's kind of the point, but it's a step in the right direction. The browser is now providing information that the connection to the site is not secure and if you click the indicator it gives more information too:


connection-info


Future changes

As Emily pointed out in the article I linked at the beginning of this post, the eventual goal is to mark all HTTP as actively dangerous with the red warning. If you want to see what that looks like right now, Chrome already has the feature built in. Head over to chrome://flags/#enable-mark-http-as and you can enable the feature at various different levels. This is how I took the above screenshots before Chrome 68 landed and you can also see what the red warning will look like:


http-dangerous


More info

Alongside the increase in warnings for HTTP there is also a push to simplify the HTTPS UI too. HTTPS is becoming more common and steps to remove the constantly present positive UI are formulating. If you want to see what some of the plans there look like, check out the Simplify HTTPS Indicator flag: chrome://flags/#simplify-https-indicator I will be writing more about that in an upcoming blog post so do check back!