Google Chrome users met with ‘Not secure’ warnings when visiting HTTP sites

Graham Cluley

Not secure thumb

Google Chrome users met with 'Not secure' warnings from Tuesday

If you’re still running a website that is using insecure HTTP then it’s probably too late.

Some of your website’s visitors are going to be greeted with a message that tells them that they can’t trust your website to be secure.

That’s the message they’re going to get from Google Chrome which – in version 68 released on Tuesday 24 July 2018 – is changing its behaviour, and will start labelling all sites that continue to use unencrypted HTTP as “not secure”.

And as Chrome is the world’s most widely-used browser, that’s an awful lot of visitors who might feel unsettled visiting your website from Tuesday.

Daily Mail's website doesn't use HTTPS

It’s not as though website administrators haven’t been given fair warning. The Chrome browser has been marking HTTP webpages that ask for passwords or payment card details as not secure since early last year.

And in February, Google confirmed that with the release of Chrome 68 this month it would “mark all HTTP sites as “not secure”.”

HTTPS is good for your website visitors, and it’s good for your website.

Enabling HTTPS stops your webpages from being tampered with in transit, and stops anyone from snooping on the data that your users might be sending to your website. And, if you need any more convincing, Google has indicated that if your website has HTTPS that’s going to help your search ranking too.

And HTTPS doesn’t have to cost you anything. The LetsEncrypt initiative lets anyone who owns a domain name obtain a trusted certificate at no cost. If LetsEncrypt is too nerdy for you, you might be able to use the likes of Cloudflare’s free plan to get that all-important HTTPS in your URL.

Security expert Troy Hunt has created a simple website entitled (appropriately) httpsiseasy.com which can walk you through the process of setting up with Cloudflare.

There are going to be some website owners who are going to be pretty upset about Chrome telling their users that their websites are “not secure”. They may even be some regular internet users who are upset too.

But this is an important step in the journey of making the internet a safer, more secure place. Going forward, encryption should be the default, not the exception.

Listen to more discussion about this topic in this episode of the “Smashing Security” podcast:

Smashing Security #88: 'PayPal’s Venmo app even makes your drug purchases public'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

8 Replies to “Google Chrome users met with ‘Not secure’ warnings when visiting HTTP sites”

  1. One thing the article doesn't address is Google's reasoning behind this, which I think is sound. People don't react the same way to a positive identifier – that of something being present – as they do to a negative identifier – that of something missing. People are more likely to notice and take action if you tell them something that *should* be there is missing. Then there's the more philosophical angle – serving a site over HTTPS isn't really a guarantee that's a site is "secure", since phishing sites can easily get a DV certificate through Let's Encrypt. Conversely, not having HTTPS *does* mean the site is insecure, since it's vulnerable in that state.

  2. "Tuesday 23 July 2018" is a typo: We've got Monday 23 July 2018 & Tuesday 24 July 2018.

    Cheers

  3. It isn't bad enough Google reads your email now they censor what sites you can see!

    They are an Ad agency the internet's self-appointed policeman.

    For god's sake, please spare us the hubris of Google, not all sites need security, many don't sell things, have login, collect data, take payments or are socially connected.

    Thanks Graham for keeping us informed.

    1. I don't think it's fair to describe what Google is doing as censorship.

      This change in functionality within Google Chrome doesn't stop you from visiting any websites. It *does* inform you if the website you're visiting hasn't taken the sensible step of using HTTPS (which is good for both the website owner, and the website visitor).

      It’s a mistake to think that the only sites that need HTTPS are those which you log into or ask for personal information.

  4. Interesting response,

    Lets put it another way.

    I walk into a bar which has a smoking allowed policy, I climb up to the bar, and order a pint of double chocolate, and then light up. The bully at the end of the bar says "Put that out or I will come over and put it out for you."

    I do not put it out, so he comes over, grabs my Macanudo, drops it to the floor, stomps on it, and yells to everyone in the bar."This jerk is smoking, it's bad for you and I am protecting you."

    Does his earlier warning that he would do that, make it right?

    We may all agree that having encryption is a good thing, I certainly do, but having a bully wiping out my $7 Macanudo or blocking a site I wish to view, regardless of the risk, is not acceptable behavior.

    It is internet bullying by the biggest bully on the internet.

  5. With respect, I disagree. But this isn't the place to have that discussion.

    Thanks for posting and responding.

    Keep up the good work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES