A milestone for Chrome security: marking HTTP as “not secure”
Security has been one of Chrome’s core principles since the beginning—we’re constantly working to keep you safe as you browse the web. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users.
More encrypted connections, more security
When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site.
Chrome’s “not secure” warning helps you understand when the connection to the site you're on isn’t secure and, at the same time, motivates the site's owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress. We’ve found in our Transparency Report that:
- 76 percent of Chrome traffic on Android is now protected, up from 42 percent
- 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
- 83 of the top 100 sites on the web use HTTPS by default, up from 37
We knew that rolling out the warning to all HTTP pages would take some time, so we started by only marking pages without encryption that collect passwords and credit card info. Then we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.
Making encryption easy
If you’re a site owner looking to migrate (or build!) your site on HTTPS, we’ve helped make the process as simple and inexpensive as possible. Improvements include managed HTTPS for Google App Engine, required and automatic HTTPS on all .app domains, and free and automated certificates through Let’s Encrypt (Chrome is a Platinum sponsor). And if you’re in the process of migrating to HTTPS, look out for messages coming from Search Console with further information and guidance.
So when you’re shopping for concert tickets or online banking, rest assured: you’ll be warned if a site is not protecting your data with HTTPS. And we’ll continue to improve Chrome’s security, to make sure you’re using the most secure browser out there.