If you use Google Chrome, you might notice a small but significant change soon. The browser is now starting to mark certain websites as Not Secure, while you’ll no longer see a Secure message on other sites soon.
Why is Chrome doing this, and what does it mean for you? Let’s find out.
HTTP and HTTPS
Before we look at what Chrome does, it’s important to understand the underlying technology.
The Hypertext Transfer Protocol, or HTTP, is a backbone of the internet as we know it. This protocol allows your browser to request information from a website, which the website sends back in a form that your browser can display for you. Learn more about this in our explanation of what happens when you visit a website.
Unfortunately, HTTP doesn’t have any kind of protection. This makes it vulnerable to man-in-the-middle attacks, where someone could steal the message in transmission, inject dangerous elements, and pass it on without you knowing. HTTP traffic is also vulnerable to eavesdropping, so it’s not suitable for online payments and other secure traffic.
To solve this problem, we use HTTP Secure, or HTTPS. This is an extension of HTTP, and uses the Transport Layer Security (TLS) protocol to encrypt traffic so it’s not vulnerable to attack.
At first, HTTPS was only used for online purchases and other sensitive information. But now, HTTPS is in place when you connect to many sites, like Google, social media, and news pages. It helps keep the connection between your PC and the website private, so others can’t spy on it.
The Chrome 68 Update
Google started rolling out Chrome version 68 on July 24, 2018. Prior to this version, Chrome marked websites that use HTTPS as Secure. This text appears in green next to a padlock icon. Seeing this icon lets you know that your connection is secure, which is important to check when you’re exchanging sensitive information online.
In Chrome versions 67 and earlier, if you’re on an HTTP site, Chrome simply does not display any messages about security. But starting in Chrome 68, Google will mark HTTP sites as Not Secure.
This represents a shift in the way of thinking online. Google no longer sees insecure HTTP connections as the default. Instead, it wants all sites to use HTTPS to protect their traffic.
For now, Chrome will still mark sites that use HTTPS as Secure, but eventually it will phase this out in accordance with the new standard. In the same way, the gray Not Secure text will become red sometime in the future.
What Does This Mean for Me?
This is a change that reflects Google’s way of thinking, but it doesn’t result in many changes for users. You should know that just because a website is marked as Not Secure doesn’t mean it’s unsafe, but a Secure connection doesn’t make a site totally safe either.
For example, the BBC’s American website currently does not use a secure connection. This means that anything you do on there, such as searching for articles, is readable by anyone who is watching your network. While this means you have basically no privacy on that site, it doesn’t make the BBC’s website dangerous. You’re not transmitting any sensitive information, like a credit card number, to the BBC’s site.
On the other hand, just because a site shows as Secure doesn’t mean it has no dangerous elements. A malicious ad on the page could try to trick you into downloading malware, or you may enter your credit card into a secure site that’s not trustworthy.
There’s one other type of warning you should know about: dangerous websites. If Chrome alerts you that a website is not secure with a large warning screen and a red line through the HTTPS in the URL, you should stay away. This usually means that a website’s security settings don’t check out properly, indicating malicious intent.
If you’re concerned about using HTTPS everywhere you visit, you can install the HTTPS Everywhere extension in Chrome. This makes sure you connect to the secure HTTPS version of websites whenever one is available.
Hopefully, Chrome’s change encourages more websites to use HTTPS to protect their users’ browsing. And now you know why this looks different.