Many of Google’s services are served over HTTPS, with YouTube and Calendar being the latest to offer encryption by default. With the majority of the web now moving to this security standard, Chrome will begin explicitly labeling HTTP connections as non-secure…

The multi-phase process begins in January 2017 with Chrome 56 marking HTTP sites that transmit passwords or credit cards as insecure. Historically, HTTP connections have been marked with the neutral indicator of a gray info icon and HTTPS with a green lock and text. In version 56, you’ll see “Not Secure” listed beside the info button and to the left of the URL.

Google has only provided mockups for desktop Chrome, but the change will presumably occur at similar times on Android, iOS, and Chrome OS.

Following releases will extend the HTTP Not Secure warning to Incognito mode where users have a higher expectations of privacy. The final iteration has the security indicator on the address bar changing to the red triangle currently reserved for broken HTTPS connections.

The long-term plan is to mark all HTTP sites as non-secure due to the possibility that others can potentially look at or modify the site before it gets to an end user. Google notes that converting a site to HTTPS is easier and cheaper than ever before, with a substantial portion of web traffic now transitioning to HTTPS. More than half of Chrome desktop pages are now served over HTTPS.

About the Author