Earlier this year, Chrome started marking unencrypted HTTP web pages that take credit card information or passwords as “not secure.” The browser will mark web pages this way in two additional situations starting October, 2017: when the user has to enter data, and for all the HTTP pages that users load in the browser’s Incognito mode.
Boosting HTTPS Websites
In 2016, Google announced that it plans to gradually implement changes in Chrome that would make it easier for users to identify websites that don’t use secure connections. The number of HTTPS websites has grown rapidly lately, not in small part because of Let’s Encrypt’s free HTTPS certificate issuance service. However, we’re still a long way from having all websites on the internet use encrypted connections.
Google has tried to encourage the use of HTTPS in various ways, too, from slightly boosting search ranking of HTTPS websites, to indexing the HTTPS version of a web page first, to now using Chrome to mark unencrypted websites as not secure.
Impact Of “Not Secure” Marking
Google said that since it started using the “Not Secure” marking for web pages that ask for passwords or credit card information, traffic to such pages has dropped by 23%, which is significant. This shows that such policies have a real impact first on users who are educated about the security of the pages they visit, and ultimately on the website operators who will have to secure those pages to get back that traffic.
Google argues that passwords and credit card information aren’t the only type of information that should be private and secure; any type of data that is entered into a form on a website should be secure, too. This is why version 62 of Chrome will begin to mark pages that don’t use HTTPS, but ask for user data, as “not secure.”
A More Private Incognito Mode
Google also noted that when people use the Incognito mode of Chrome, they expect an increased level of privacy. With the exception of some network metadata, encrypted HTTPS connections keep the contents of the communications between the user and a web server hidden from outside parties (short of a malicious hack against that server).
Marking HTTP websites as “not secure” in Incognito mode will not directly increase users’ privacy, but it should also encourage websites to adopt HTTPS encryption. In the meantime, it will educate users to be more careful with the data they share with unencrypted websites.
Google wouldn’t give a fixed deadline, as it still wants to see how fast everyone adopts HTTPS encryption. However, it did say that it plans to eventually mark all HTTP web pages as not secure, even outside of Incognito mode. That day may arrive sooner than expected for some websites, which is why the company encourages all website operators to start transitioning to HTTPS right now.