Moving ahead with its initiative of making web more secure by adopting to HTTPS encryption, Google just announced that begining in July 2018, Chrome 68 will start marking all HTTP sites as “not secure”.
Towards this, Google is strongly advocating since past year ‘secure by default’ web sites and also gradually begun marking a larger subset of HTTP pages as “not secure” so webmasters can make the change to HTTPS.
Now, Google will identify all the insecure sites in the Chrome browser beginning mid-Summer with the release of Chrome 68. Chrome’s new interface will help users understand that all HTTP sites are not secure, as the new address bar (also known as Omnibox) will now display “Not secure” for all HTTP pages.
So What HTTPS Matters?
“HTTPS unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Aside from providing critical security and data integrity for both websites and users’ personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps.”
The following image show an example security warning of Chrome’s browser address bar:
Google also reporting this campaign has seen incredible progress in the last year as developers already begun transitioning sites to HTTPS and it’s continued even today:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 sites on the web use HTTPS by default
Furthermore, Google providing resources for making this change on sites, along with resources for validation and dealing with mixed content issues.
Will Chrome Display a Warning on Mixed Content?
Google did not explicitly addressed whether mixed secure and insecure web pages when opened in Chomre will trigger the warning. But, since it’s providing mixed content audits to developers to migrate their sites to HTTPS, it can be assume these pages will also trigger a warning.
Once such automated tool for improving web pages is the latest Node CLI version of Lighthouse, that helps developers find resources a site loads using HTTP and those ready to be upgraded to HTTPS simply by “changing the subresource reference to the HTTPS version.”
Developers check out the following getting started guides:
- HTTP to HTTPS: Check this getting started guide to securing a website
- Using Mixed Content audit tool in Lighthouse
Update 02/13: A Google Chrome development team engineer in a tweet listed four reasons to support HTTPS stated, “People sometimes wonder why the @googlechrome team pushes HTTPS so hard. I’ve read some good conspiracy theories.”
Here’s the reality:
1. Many people on the Chrome team are personally passionate about web security.
HTTPS is a foundational part of web security.
2. We don’t think people know or care about the difference between HTTP and HTTPS.
If everything is HTTPS, one less thing to bother users about.
3. HTTPS Enables Browser Service Workers
ServiceWorkers are revolutionary. They make websites work offline or under flaky network conditions. They’re also too powerful to allow over HTTP. If we want the web to use ServiceWorkers, the web must use HTTPS first.
4. From a business perspective, we want people to both feel and be safe online.