Reminder: Chrome to soon conspicuously brand sites not using HTTPS

Organizations have only four and a half months to upgrade their Web sites to use HTTPS encryption. After that, Google Chrome browsers will mark sites using only HTTP  as “not secure.”

That’s because starting July 1, with the release of Chrome 68, all Web sites not using encryption will be marked and insecure as a way to give users more confidence in Internet security.

Firms that only use their sites for information and not transactions may not care, but there is a risk that a “not secure” label in the URL will cause reputational harm. Right now Chrome displays an exclamation mark beside the URL of a site that doesn’t use HTTPS and doesn’t have a password or credit card form field. If it does have one of those fields the URL also includes the words “not secure.” Viewers may ignore those signs now.  However, at some point soon those warnings will change to red with a warning triangle.

Sites using HTTPS have a green padlock and the word “Secure” in the URL address line. Increasingly consumers are getting used to looking for it.

Many developers have got the message, Google said in a post last week, saying progress in 2017 was “incredible.” It released these numbers:

  • Over 68 per cent of Chrome traffic on both Android and Windows is now protected;
  • Over 78 per cent of Chrome traffic on both Chrome OS and Mac is now protected;
  • 81 of the top 100 sites on the web use HTTPS by default.

Google said it isn’t hard to set up HTTPS. “Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving Web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.”

Security writer Graham Cluley notes that  Chrome marked HTTP pages that collect passwords or credit card information as not secure since early 2017, and then extended it to when an HTTP webpage is visited in Incognito (private browsing) mode, and when users enter data on an HTTP webpage.

“Remember,” he adds, “just because a website is using HTTPS does not mean that it can necessarily be 100 per cent trusted – and similarly, a website that is still using HTTP just might be doing a decent job in how it handles the rest of its security or your personal information (although its lack of HTTPS in such a situation would be a surprising omission).” However, a warning is better than nothing.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now