Google has long been a big proponent of pushing HTTPS as seen with the .app top-level domain where security is default and in Search rankings. The biggest adoption drive has been through Chrome, with the browser soon marking all HTTP sites as “Not secure.”
When that fully rolls out, Google will begin phasing out the green “Secure” badge and lock icon as security becomes the default expectation.
With version 68 in July, Chrome will begin marking all HTTP sites as “Not secure” in the address bar. Google began earlier last year by first applying that label to HTTP sites in Incognito given the increased expectation of user privacy in that mode. The next step sees that warning applied browser-wide when users first visit an HTTP page.
Google will also step up usage on a stronger “Not secure” warning, with accompanying red icon, when users enter data on HTTP pages. The gray Not secure badge will morph to the new, bolder red one when users enter passwords or similar data into a page on Chrome 70 this October.
Since the “default unmarked state is secure,” Google will be moving to slowly phase out the “Secure” wording on HTTPS sites. Starting in September with Chrome 69, users will only see a gray lock icon at the left of the Omnibar. The end goal is to completely remove that icon to provide users with a simpler interface that better reflects the new standards for security.
In terms of HTTPS adoption, Google shared in February that 68% of all traffic on Android and Windows is now secured, with the number jumping to 78% on Chrome OS and Mac. The company also noted that 81 of the top 100 sites on the web use HTTPS.
In limiting the visual distraction, users will only have to care when they visit an insecure page. Meanwhile, the move also reflects the evolving expectation of default security. Some users will likely notice the change, but clicking the info icon in the address bar will still note that a “Connection is secure.”