Skip to main content
banner image
venafi logo

Google Chrome Will Flag All Remaining HTTP Pages as “Not Secure”

Google Chrome Will Flag All Remaining HTTP Pages as “Not Secure”

Google to Flag All HTTPS as Not Secure
June 5, 2018 | David Bisson

Google announced its plans to make HTTPS protection the standard unmarked state for web pages in an upcoming version of Chrome.

On 17 May, Chrome Security product manager Emily Schechter unveiled two security indicators that Google intends to incorporate into its web browser. The first will involve removing the "Secure" wording from HTTPS-protected pages, effectively making HTTPS the default unmarked state for web pages. Schechter said that change is expected to roll out in September 2018 with the release of Chrome 69.

One underlying implication of removing the “secure” tag is that, while HTTPS signals that web pages are using encryption, if they do not use it properly, they may or may not be entirely safe. For example, attackers can hijack encrypted connections and use them for eavesdropping, phishing and even data exfiltration. The overall security of these HTTPS machine identities depends on how strongly they are being created and how carefully they are being implemented.

The second security indicator will likely activate a month later with Chrome 70. As part of that change, Google will display a red "Not Secure" warning whenever users begin entering data into any HTTP page. This overt HTTP shaming will help drag the world, kicking and screaming, into the age of encryption.

Click here to see an example. 

Per Schechter's blog post on the matter, Google hopes "these changes continue to pave the way for a web that’s easy to use safely, by default." But it might not always be easy. Craig Stewart, VP of cyber security company Venafi, thinks it could be particularly difficult for administrators charged with updating their websites' certificates.

"Just the task of discovering these [pages marked “Not Secure”] and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes," Stewart said, as quoted by Computer Business Review. "Unless organizations are able to identify where their HTTP certificates are, and then have the flexibility to revoke and replace these with HTTPS certificates, they will be faced with customers, partners and prospects refusing to access a seemingly insecure site. It's those sites that do not use HTTPS that should be brought to our attention so that we do not use them."

Acknowledging these difficulties, Stewart recommends that organizations investigate solutions that are capable of automatically discovering their certificates and monitoring them for abuse.

Automate your organization's certificate management processes

Related posts

Like this blog? We think you will love this.
graphic image of an electrically lit tunnel, apparent from the inside but invisible from the outside
Featured Blog

The Fight over DNS over HTTPS

DoH, Browsers and ISPs

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat