Google’s Chrome Browser is now listing all unencrypted sites as explicitly “not secure,” beginning with today’s release of Chrome 68. The change applies equally to all HTTP sites, which will now display a “Not Secure” image in the address bar. HTTPS-enabled sites are unaffected by the change.
First announced in February, Chrome’s design shift is the latest move in a multipronged push by Google for more encryption on the web. Login sites have displayed similar “not secure” warnings since 2016, with gradually escalating alarms for expired certificates. Google has also subtly boosted HTTPS-enabled sites in search rankings since 2014, a significant incentive for webmasters to adopt the protection.
Along with the product-based nudges, Google has funded significant research into the encryption standards underlying HTTPS, donating server time to demonstrate a SHA-1 collision in February 2017.
HTTPS is a form of web encryption that secures the connection between the user and the sites they visit. Websites and ad networks served without encryption are vulnerable to malware injection, a common tactic for low-level cybercriminals.