Chrome 56: HTTP Sites Marked as Not Secure

It’s fairly obvious what Chrome is trying to do here; they’re trying to push sites to switch over to the more secure HTTPS communication. That’s an admirable effort, but it also seems like Chrome might be undermining its own credibility by issuing what is essentially a false security alert for existing HTTP sites that are perfectly secure.

Google announced plans today to increase the pressure on sites not yet offering their content over secure https connections. Starting with Chrome 56 Stable, out January 2017, the company plans to list some HTTP sites as not secure in the browser. Chrome uses a neutral listing for non HTTPs sites currently. All sites, HTTP and HTTPS sites with mixed content, fall into that category.

Starting with Chrome 56, some of those sites may be listed as not secure in the browser instead.

Any non-HTTPS page — and mixed content pages fall into that category — with a password field or credit card form fields will be marked as not secure in Chrome 56.

Google’s plans don’t end there though. The company plans to extend the warning to all non-HTTPS sites in the browser’s Incognito Mode, and later on to all non-HTTPS sites displayed in the browser.

The indicator’s color remains gray for the time being during that transition phase.

google https not secure

In the end, all HTTP pages are shown as not secure with a red exclamation mark and text in the browser’s address bar.

not secure http

Some sites or pages benefit more from others. While it makes sense to enforce HTTPS usage on financial sites and sites that deal with personal information, others may not benefit from it nearly as much.

There are valid arguments against enforcing HTTPS on all Internet sites. They range from increased handshake times to making it harder for users to publish sites on the Internet. Previously, all you had to do was create a HTML page and publish it. With HTTPS being enforced, you need to find a way to get a certificate for your site.

This has gotten easier and cheaper thankfully thanks to Lets Encrypt. It still means that you have to understand how to generate a certificate for your site and spend time understanding the process.

It seems a given that the web is moving towards HTTPS, and that HTTP or mixed content HTTPS sites will have an outlaw status one day.

You are probably wondering what we have planned in regards to HTTPS. I’m testing the implementation on two test URLs and the backend currently. Getting mixed content warnings because of the newsletter form currently but that seems to be the only issue right now.

You can check out one of the test pages here. Note that it shows up fine right now, but that is because the newsletter sign-up won’t work on that page.

Link to Original Content

Tags: , , ,

Comments are closed.