Beginning January 2017, Chrome version 56 and beyond will begin to label HTTP websites as “Not Secure.” Initially, only pages that transmit passwords or credit card numbers will be labeled this way, but Google’s end game is to mark all HTTP connections as non-secure.
Google has been encouraging HTTPS adoption for some time through incentives such as giving HTTPS websites a boost in ranking in its own search engine, or indexing HTTPS pages by default, but now it’s looking to go a step further by declaring HTTP connections as not secure.
Google said that anyone could look at an HTTP connection, which would enable them to gather sensitive information, such as a credit card number or website credentials. Not only that, but the connections could also be modified to inject malware in them. For instance, you may be trying to download a piece of software, but because attackers can insert themselves between you and the site you’re visiting, they can send you the same file with built-in malware (and it could be done automatically).
Because you may trust that the site won't give you malware, you'll end up clicking the file and getting infected. Assuming the site’s server itself wasn’t hacked, HTTPS connections (normally) guarantee that that you’re downloading the file from the intended (and safe) source.
Thanks to multiple factors, from the Snowden revelations, to Google’s promotion of HTTPS, to the availability of the free SSL certificates from Let’s Encrypt, many sites have already switched to HTTPS. However, the adoption of HTTPS is still rather slow when we’re talking hundreds of millions of websites.
According to recent studies, users don’t perceive websites lacking the HTTPS icon as “not secure,” which is why Google is now taking steps to clarify to users that HTTP sites aren't necessarily safe.
Google plans to mark all HTTP websites as non-secure even when Incognito mode is used, as that’s when people expect more privacy. Eventually, the “Not Secure” label will also appear in red font next to a red triangle icon that’s typically used for broken HTTPS.
Google said that it will announce beforehand when a new version of Chrome will switch to using the new warnings, but it recommends that website developers not wait, and switch to HTTPS as soon as possible.