The Chrome HTTP Warning is continually raising its expectations for page security.
If you are a regular Chrome user, you have likely noticed the frequent changes to the browser’s SSL UI. The primary padlock icons changed last year, and a few months ago a Chrome HTTP warning was added to pages.
These changes are part of a major project which will re-invent our understanding of connection security as the web’s adoption of HTTPS picks up.
This means that as more of the internet’s traffic becomes encrypted, Chrome will continue to raise their expectations and make the unsecure nature of HTTP connections more prominent.
Late last week, Chrome announced the next step in this project.
The “Not Secure” warning, which currently appears on HTTP pages with login/credit card fields, will be shown in two more scenarios later this year.
When Chrome 62 releases (around October) the “Not Secure” warning will appear on any HTTP page if you start typing data into the page. This includes any HTTP page with text field, such as a search function, contact form, or address box, will trigger the warning.
This warning will be ‘dynamic’ and only appear once the user starts typing data into a field. This behavior is demonstrated in the below gif.
In addition, the “Not Secure” warning will appear on all HTTP pages when you are in “Incognito” mode, which provides a private session.
In the announcement for this latest change, Chrome engineer Emily Schechter wrote “when users browse Chrome with Incognito mode, they likely have increased expectations of privacy.”
This table summarizes the changes:
Schechter also reminded us that Chrome’s plan is to “eventually” show the “Not Secure” warning for ALL HTTP pages in all contexts. Chrome’s team has not given specifics on when this will happen, but we know it is tied to HTTPS adoption.
A few versions ago, Chrome added this “Not Secure” warning for HTTP pages with password or credit card forms. This has already led to a 23% reduction in the number of navigations occurring to such pages – evidence that the indicator has been a strong motivator to site administrators to adopt HTTPS.
If you operate a website without HTTPS and don’t yet have a transition plan, you should start developing one as soon as possible.