Chrome 68 will label all HTTP sites as 'not secure'

Shawn Knight

Posts: 15,253   +192
Staff member
The big picture: Google argues that all websites should be protected with HTTPS, even if they don't handle sensitive communications. In today's privacy-conscious landscape, that's hard to argue with.

Google’s effort to steer Internet users towards a more secure web takes its next step on Tuesday with the launch of Chrome 68.

The latest version of Chrome will mark all HTTP sites as “not secure.” Up to this point, only a subset of HTTP pages was marked as “not secure” in the browser. The search giant intentionally made the transition a slow one in order to give developers plenty of time to move their sites over to a secure connection.

As of this past February, more than 68 percent of Chrome traffic on Android and Windows was protected (the figure climbs to more than 78 percent on Chrome OS and Mac). Furthermore, 81 of the top 100 sites on the web now use HTTPS by default.

While most would agree that HTTPS is a good thing, not everyone is convinced. This led security researcher Troy Hunt to theorize that those against the broad adoption of HTTPS are simply pushing back because they feel they have lost control and are being “forced” to move due to Chrome’s impending changes.

Hunt has also put together an informative blog post on the matter and published a 24-minute video detailing why static websites need HTTPS.

Developers looking to transition their sites to HTTPS are encouraged to check out Google’s set-up guides for more information.

Permalink to story.

 
Indeed, great video. I used to think there is a place for HTTP, and there is. However, due to the malicious nature of script injection (by not just script kitty but serious corporations and governments), we cannot afford to not use HTTPS. If you don't have 15 min to watch this video, the gist is that using HTTPS on static pages protects not just you, but your site's visitors because it eliminates man-in-the-middle script attacks.
 
You should be able to manually trust or remove the notification though. I have some services running on my home network which arent HTTPS, and they dont need to be, theyre only on the internal network. This change will keep pestering me that im not connected to a secure website.
 
Back in 1995 we didn't have all these sorts of issues today 2018 we do. Https I use that always. But that is only one layer of protection.
 
You should be able to manually trust or remove the notification though. I have some services running on my home network which arent HTTPS, and they dont need to be, theyre only on the internal network. This change will keep pestering me that im not connected to a secure website.
Yeah, like Web access from a lan device to your LAN router would be stupid as HTTPS
 
Back