Google Chrome has won the lion’s share of the browser market with about 57 percent usage, blowing away runner-up Safari at just 14 percent. This gives Google the power to encourage change on the web just by tweaking the way Chrome works. That’s what it did over the last few years by making it clear when a site was lacking an HTTPS secure connection. Now that most sites have moved to HTTPS, Google is looking to change the way those warnings appear to emphasize sites that are still lagging behind.
Using HTTPS encrypts the connection between you and a website, which prevents someone from intercepting your traffic or impersonating the site. In the past, the processing overhead for encrypting connections was substantial enough that only pages that took personal information would use it. Now, it’s a vanishingly small amount of power compared with all the other things a site has to do.
Google has been pushing the web toward HTTPS everywhere for years, but it stepped up efforts in 2017 with a prominent indicator when sites had secure connections. This is what’s changing. That “Secure” indicator in your address bar will become less explicit, and it’ll go away completely in time. Meanwhile, the browser will pitch a fit if you happen upon a site that doesn’t have HTTPS.
Starting in September of this year, Chrome 69 will shrink the security indicator from a green “Secure” label and lock icon to just a black icon. Later, Google plans to remove the lock icon as well. It wants HTTPS to be the default, not something about which the browser notifies us. Sites that are not secure will still have the warning in the address bar, but that’s going to become more obnoxious soon.
With the launch of Chrome 70 in October 2018, Google plans to make the non-secure warning more prominent. Previously, too many sites lacked HTTPS to do this, but now it’s time to name and shame. The browser will have a “Not secure” warning in the address bar when you are on an HTTP page. The warning will blink and turn red if you start to type on such a page to make extra-sure you know.
Google advises site administrators who haven’t implemented HTTPS to get on it. The versions of Chrome that make these changes will begin hitting the dev and beta channels very soon. Chrome dev just hit v68, so the next release will include new HTTPS behavior.