PINDROP BLOG

Chrome Will Label More HTTP Pages Insecure

Google is continuing its assault on the unencrypted web, with a change coming to Chrome later this year that will mark any HTTP page on which a user enters data as “not secure”.

In January, Google released Chrome 56, the first version of the browser that included a warning for pages that send confidential data such as credit card information over plaintext connections. The change is a major one, as it puts pressure on site owners to move their sites–or at least this pages that ask for sensitive information–to HTTPS connections. Google has been making incremental changes in Chrome and its web services to shift as much traffic as possible to encrypted connections, and in so doing has also been nudging site owners in the same direction.

Now, the company is planning to expand the use of the “not secure” warning in Chrome to include many more HTTP pages, beginning in October with the release of Chrome 62. That change will also affect HTTP pages a user views in Incognito mode. That mode in Chrome allows users to browse the web without collecting any browsing history or other data. Since the release of Chrome 56 three months ago, Google has seen a reduction in the number of people visiting HTTP pages that ask for credit card or other sensitive data.

Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps,” Emily Schechter of the Chrome security team said in a post explaining the change in the browser.

“Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the ‘Not secure’ warning when users type data into HTTP sites.”

The changes won’t stop there, either. Schechter said Google eventually will warn users about any HTTP page in Chrome, even if they’re not using Incognito mode. Mozilla has made a parallel move with Firefox in January, warning users about sending sensitive information on plaintext connections.