Google announced that its security indicators for HTTPS and HTTP pages will change starting this fall, in versions 69 and 70 of Chrome. HTTPS websites will not longer be shown as "Secure," while HTTP pages will be shown as "Not Secure" in red font, when users enter data.
Evolution Of Web Security Indicators
Over the past couple of years, both Chrome and Firefox have started encouraging web developers to adopt HTTPS encryption by giving them small incentives such as showing their websites’ address next to a padlock icon with a “Secure” label in green. This was supposed to make users trust these websites more, because the data exchange between the user and the server would be encrypted.
Since then, and due in no small part to the Let’s Encrypt project, which is backed by Mozilla, EFF, and others and has been offering free HTTPS certificates to everyone, many more websites have adopted encryption.
Now, Google believes that users should expect that the web is “safe by default.” Therefore, users shouldn’t need bright green labels and padlocks to know whether or not the website they visit is secure.
Chrome 69 To Lose The “Secure” Label
Starting with Chrome 69, which should land this September, Google’s browser will lose the green “Secure” wording, and its padlock will turn from green to grey. The company added that eventually Chrome will also use the padlock, too, and all you’ll see will be the web address without HTTP, HTTPS, or any other label or symbol next to it.
It’s possible Google also doesn’t want internet users to believe that a site is “secure” just because it's using HTTPS encryption. A site could use HTTPS encryption and then still lose all of your account data to hackers due to poor server security hygiene. HTTPS encryption only guarantees that your connection to the site is secure, but it says nothing about how secure your data is on a company’s server.
Chrome 70 To Add “Not Secure” Warning In Red
Chrome 56 started showing users a “Not Secure” warning in grey on login pages. Starting with Chrome 70, this fall, users will see a “Not Secure” warning in red when they enter data on HTTP pages. The HTTP pages will also be labeled “Not Secure” in grey at all times.
Perhaps the most controversial change in Google’s announcement is Google’s statement that users should expect the web to be safe. Whether we’re talking about HTTPS, PGP, S/MIME, or other encryption and security protocols, it may not serve users to hide what protocols are being used to protect their data. At the end of the day, this is also an issue of transparency, and users deserve to know how their traffic and data are protected.
Google expects that when the “Secure” label and padlock are gone, users will continue to believe that the same sites are just as secure. However, this may not happen because users have been trained for decades to expect no security unless claimed otherwise.