Apple Safari testing “Not Secure” warning for HTTP websites
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Apple Safari testing “Not Secure” warning for HTTP websites

Safari will follow the footsteps of Google Chrome by adding a more explicit HTTP warning

HTTP is dead. Google has largely led that charge, given its Chrome browser’s ubiquity and the company’s ability to compel certain behaviors given its size and clout. Now, one of the other big names in the tech industry, Apple, is potentially following Google’s lead by testing a “Not Secure” HTTP warning for its Safari browser.

While organizations like Google, Cloudflare and Mozilla have visibly been at the forefront of the initiative to encrypt the internet, companies like Apple and Microsoft tend to play things far closer to the vest. For instance, whereas Chrome and Mozilla regularly have blog posts detailing changes they’re thinking about making and why they do things, Apple tends to be a little less transparent.

When Apple released Safari Technology Preview 70, which is an advance browser similar to Chrome Canary or Firefox Nightly, the addition of its HTTP warning was given just a single line in the release notes:

Added a warning in the Smart Search field when loading non-secure pages

So, today we’re going to talk a little bit about Safari HTTP warning and what it means for internet users moving forward.

Let’s hash it out.

Testing the Safari HTTP Warning

Currently, Apple’s Not Secure warning has only been added to its Technology Preview browser, which Apple uses to test new features. And in true Apple fashion, the company has yet to comment on if and when the change could arrive on the stable version of its Safari browser.

Still, this is significant because Safari does have a decent market share and it’s now the second major browser to actively penalize HTTP websites.

Google has been testing ways to deprecate HTTP for years. Back in 2014 it tried to incentivize migrating to HTTPS by announcing it would be a search ranging signal. Then it started restricting features for HTTP sites. It briefly changed its UI to say “Secure” for EVERY HTTPS site. And then over the Summer it finally made good on its promise to add a “Not Secure” warning to its address bar when visiting an HTTP site.

Now Apple appears to be following. Safari’s UI is a lot different from Chrome’s so obviously the warning looks a little different. Apple also elides URLs differently, so I think the effect ends up being a little more impactful.

apple safari http warning

Again, no word yet on when the change will hit the stable version, but this will apply even more pressure to websites that aren’t offering secure connections.

Why is HTTP bad?

For those that keep abreast of the industry, this is the point you can stop reading. As for everyone else, HTTP has been at the heart of the internet for decades, but it was developed when the internet was a lot different. At that point, sensitive data wasn’t being transferred, the internet was for the free exchange of information.

With the commercialization of the internet, the need for more secure connections between clients and servers became evident, so SSL/TLS was layered over HTTP and HTTPS was born. The internet is not built to be a straight shot to your destination, it’s not just your computer connecting to the website you’re visiting directly. Instead, your connection gets routed through various points all across the country or even the world before finally arriving at its destination.

With an HTTP connect, all of the data being between client and server is sent in plaintext – easily readable by a third party listening in on any of the dozens of devices your connection will route through. HTTPS prevents this by encrypting the data so that it’s unreadable to anyone but the intended party.

You can understand why companies like Google and Apple would want to make this the default. And that’s the plan, to make HTTPS so ubiquitous it becomes an afterthought. Just a standard expectation.

And each step like adding a Safari HTTP warning help move that initiative along.

As always, leave any comments or questions below…


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.