What Chrome's 'Not secure' warning for unencrypted HTTP websites really means
Google’s taking a more aggressive role in encouraging websites to encrypt their connections to protect user data. Chrome 68 starts rolling out today, and browser update labels any site that isn’t using HTTPS with a valid certificate as “Not secure” in the address bar. Previous versions of Chrome took a more positive angle, giving encrypted websites a green “secured” lock icon.
HTTPS encrypts the connection between your computer and the site you’re visiting. That ensures that the information isn’t intercepted by other people on your network. Not only is HTTPS vital when you’re sharing private information with a website—which is why Chrome rolled out similar warnings for unsecured pages with login fields and in Incognito mode last year—but it also prevents the site you’re visiting from being tampered with by outside parties, combating injected ads and fake websites that try to steal your passwords.
Chrome 68’s “Not secure” warning does not mean you’ve been hacked—but it does mean your traffic isn’t protected, so it could be hacked.
Encrypted websites used to be rare, limited to login pages and commerce sites, but they’re much more common in today’s privacy-aware world. According to Google, 76 percent of all Chrome traffic on Android and Windows is encrypted, and 83 of the top 100 sites on the web defaulted to HTTPS. But it still isn’t universal. Computer security expert Troy Hunt created a “Why no HTTPS?” list that names the most popular non-secure websites to coincide with Google’s public shaming. Many are Chinese, but you’ll also see several big-name sites, including Wikia.com, Twitter’s link service, the BBC and Daily Mail, ESPN, Fox News, FedEx, IGN, and more.
So far, Chrome is the only browser making an effort to highlight non-secured sites. Google hopes that Chrome’s clout—it holds more than 60-percent browser share, per Net Applications—can help tip the scales into making every website embrace encryption, so you know your data is secure. And the public shaming will only get more pronounced: Chrome 68’s “Not secure” warning for HTTP sites is in simple black text, but when Chrome 70 rolls out in October, it’ll switch to glaring red.
Protect yourself: Some sites maintain separate secured and non-secured versions of their pages. Installing the Electronic Frontier Foundation’s excellent HTTPS Everywhere extension for Chrome, Firefox, and Opera forces the sites you visit to deliver HTTPS pages if they’re available. Conversely, if you’re a website owner and don’t want it branded by Chrome’s mark of shame, Let’s Encrypt offers free, automated certificates. It takes most of the hassle out of enabling encryption.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.