Google Chrome to Mark More HTTP Pages as Insecure Later This Year

HTTP pages that accept any kind of user data will be marked as "Not secure" starting in October, the company says.

Google secure websites

Starting in October, Google's Chrome web browser will start displaying a "Not secure" warning on web pages that do not use the HTTPS protocol when users enter data into it.

At the same time, Chrome will also begin displaying the same warning on all HTTP pages that a user visits while in Incognito mode.

The new warnings are part of Google's continuing effort to get website owners to start using HTTPS instead of the less secure HTTP. HTTPS pages encrypt all communications between a user's web browser and the web page they are visiting and are therefore considered more secure against snooping, man-in-the-middle and other types of attacks.

Google, like other browser makers, has been trying to push website owners into adopting HTTPS as part of a broader effort to improve online security for internet users. The company has maintained that HTTPS is critical to ensuring the privacy, authenticity and integrity of communications on the web.

Google first announced its intention to start marking HTTP pages as insecure last September. The notifications are designed to alert internet users about potential privacy and security risks when interacting with HTTP pages.

The warnings are being introduced in a phased manner. Since January, Google has begun marking any HTTP page that has a password field or accepts credit and debit card data as insecure. That move has resulted in a 23 percent reduction in the number of desktop Chrome users navigating to HTTP pages with password or payment card forms, according to the company.

The "Not secure" notifications scheduled for later this year will significantly expand the warnings to other types of web pages as well. 

"Passwords and credit cards are not the only types of data that should be private," said Emily Schechter, a member of Google's Chrome security team, in a blog announcing the changes that will start appearing in October. "Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites," Schechter said.

Google's plan is to eventually mark all HTTP pages as insecure.

Google itself has been working since March 2014 to move all of its products and services to HTTPS. Some services like Gmail and YouTube run almost exclusively on HTTPS, while others such as Google Finance are still in the process of being migrated to HTTPS. Stats from Google, for instance, show that Gmail currently runs 100 percent on HTTPS while YouTube is at 99 percent and Finance is at 64 percent. As of April 15, about 85 percent of all Google products and services use HTTPS, according to the company.

Google estimates that as of the end of last year about 25 percent of all web traffic worldwide used HTTPS.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.