A reminder that Chrome will eventually mark all HTTP pages as “not secure.”
Google Search Console (formerly Webmaster Tools) has begun sending a new message to site owners about unsecured HTTP.
The message is a reminder that, with the release of Chrome 56 next month, all pages that collect passwords or credit cards over HTTP will be labeled “Not Secure.” This will appear in address bar and pages will also lose the green padlock icon.
Also included in the message is a sneak peek of the future. Near the bottom, it says “the new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure.”
For those who follow HTTPs news closely, you will know this is not a new announcement. Google published its plan more than a year ago.
Since then, Google has been working on improvements across the board: redesigning its security UI for improved user understanding, making it easier for sites to adopt the secure protocol, and waiting for HTTPS to become prevalent enough to make the switch without large-scale disruption.
But no one knows when the big change – the labeling of all HTTP pages as “Not Secure” – will happen. In Google’s original proposal they suggested benchmarks based on the percentage of pages loaded securely over HTTPS. Though it was noted this was only an example, and Google has not publicly committed to any specific criteria.
While we can’t say for sure, it’s likely more than a year until all HTTP traffic is marked ‘Not Secure’. Chrome already has one major plan for SSL in 2017 – mandatory participation in Certificate Transparency; and despite a major landmark for encrypted traffic in 2016, there is still a long way to go until the majority of the web is ready for HTTPS.
Note: Thanks to Glenn Gabe who shared the Google Search Console message on Twitter.