By the end of this month (January 2017) some important things will have happened: the US will have a new president... but more importantly Google are sending Chrome 56 into the wild. Along with a range of updates to the browser this will include a new warning to users in the address bar that alerts you to pages being non-HTTPS, or 'Not secure' as Google put it.
At this stage the warning will only affect HTTP pages that contain either password or credit card data fields in web forms. The current behaviour is just to display a generic icon in the address bar that users can click to get more information about the page security. Chrome 56 will add 'Not secure' to this area (see diagram) for pages that contain the password or credit card fields.
In a previous blog post about HTTPS I said:
It's not a huge leap of imagination to see a situation arising where the major web browsers move to warn users that the site they're about to visit isn't secure.
Well, it looks like that's happening a little sooner than I would have expected. Whilst this move is unlikely to seriously upset the usage of non-HTTPS websites if you look at the roadmap for Chrome in this area there's good reason for non-HTTPS website owners to be concerned.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
Google are giving webmasters a gentle shove to get on to HTTPS at this stage. Later this year we'd expect this to become more of a push, beyond that if you're sticking with HTTP and you're running a site with user accounts or payments then you should expect a bumpy ride from Google's browser and search products.
Images and quote from https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Published: Jan 5, 2017 (2 years ago)