Why Does Google Chrome Say Websites Are “Not Secure”?

Starting with Chrome 68, Google Chrome labels all non-HTTPS websites as “Not Secure.” Nothing else has changed—HTTP websites are just as secure as they’ve always been—but Google is giving the entire web a shove towards secure, encrypted connections.

In the future, Google even plans to remove the word “Secure” from the address bar. All websites should be secure by default, after all.

How “Secure” HTTPS Websites Work

Chrome displays a lock and the word “Secure” when connected to an HTTPS site.

When you visit a website that uses HTTPS encryption, you’ll see the familiar green lock icon and the word “Secure” in your address bar.

Even if you enter passwords, provide credit card numbers, or receive sensitive financial data over the connection, the encryption ensures no one can eavesdrop on what’s being sent or alter the data packets while they’re travelling between your device and the website’s server.

This occurs because the website is set up to use secure SSL encryption. Your web browser uses the HTTP protocol to connect to traditional unencrypted websites, but uses HTTPS–literally, HTTP with SSL—when connecting to secure websites. Website owners have to set up HTTPS before it will work on their websites.

HTTPS also provides protection against malicious people impersonating a website. For example, if you’re on a public Wi-Fi hotspot and connect to Google.com, Google’s servers will provide a security certificate that is only valid for Google.com. If Google was just using unencrypted HTTP, there would be no way to tell whether you were connected to the real Google.com or to an imposter site designed to trick you and steal your password. For example, a malicious Wi-Fi hotspot could redirect people to these types of imposter websites while they’re connected to the public Wi-Fi.

(Technically, this doesn’t verify identity as well as Extended Validation (EV) certificates. However, it is better than nothing!)

HTTPS also provides other advantages. With HTTPS, no one can see the full path of the web pages you visit. They can only see the address of the website you’re connecting to. So, if you were reading about a medical condition on a page like example.com/medical_condition, even your Internet service provider would only be able to see that you’re connected to example.com—not what medical condition you’re reading about. If you’re visiting Wikipedia, your ISP and anyone else would only be able to see you’re reading Wikipedia, not what you’re reading about.

You might expect that HTTPS is slower than HTTP, but you’d be wrong. Developers have been working on new technology like HTTP/2 to speed up your web browsing, but HTTP/2 is only allowed on HTTPS connections. This makes HTTPS faster than HTTP.

Why Websites Are “Not Secure” If They’re Not Encrypted

Chrome 68 displays a “Not secure” message on HTTP sites.

Traditional HTTP is getting long in the tooth. That’s why, in Chrome 68, you’ll see a “Not secure” message in the address bar while you’re visiting an unencrypted HTTP site. Previously, Chrome just showed an informational “i” in a circle. If you click the “Not secure” text, Chrome will say “Your connection to this site is not secure.”

Chrome is saying that the connection isn’t secure because there’s no encryption to protect the connection. Everything is sent over the connection in plain text, which means it’s vulnerable to snooping and tampering. If you type private information like password or payment information into such a website, someone could snoop on it as it travels over the Internet.

People can also watch the data the website is sending to you. So, even if you’re just browsing the web, eavesdroppers can see exactly which web pages you’re looking at. Your Internet service provider would also know exactly what web pages you’re looking at and could sell that information for use in ad-targeting. Other people on the public Wi-Fi at the coffee shop could see what you’re looking at, too.

An unencrypted website is also vulnerable to tampering. If someone is sitting between you and the website, they could modify the data the website is sending to you, or modify the data you’re sending to the website, executing a man-in-the-middle attack. For example, this could occur when you’re using a public Wi-Fi hotspot. The hotspot’s operator could spy on your browsing and capture personal details or modify the contents of the web page before it reaches you. For example, someone could insert malware download links into a legitimate download page if that download page was sent over HTTP instead of HTTPS. They could even create a fake imposter website that pretends to be a legitimate website—if the legitimate website doesn’t use HTTPS, there’d be no way to notice you’re connected to a fake one and not the real one.

Why Did Google Make This Change?

Chrome 67 just shows an informational “i” in a circle while viewing HTTP sites.

Google and other web companies, including Mozilla, have been waging a long-term campaign to move the web from HTTP to HTTPS. HTTP is now considered an outdated technology that websites shouldn’t use.

Originally, only a few websites used HTTPS. Your bank and other sensitive websites would use HTTPS, and you’d be redirected to an HTTPS page while signing into websites with a password and entering your credit card number. But that was it.

Back then, HTTPS cost some money for website owners to implement, and secure HTTPS connections were slower than HTTP connections. Most websites just used HTTP, but that allowed for snooping and tampering with the connection. This made public Wi-Fi hotspots risky to use.

To provide privacy, security, and identity verification, Google and others wanted to move the web towards HTTPS. They’ve done so in many ways: HTTPS is now even faster than HTTP thanks to new technologies, and website owners can get free SSL certificates to encrypt their websites from the non-profit Let’s Encrypt. Google prefers websites that use HTTPS and promotes them in Google search results.

75% of websites visited in Chrome on Windows are now using HTTPS, according to Google’s transparency report. It’s now time to flip the switch and start warning users of HTTP websites.

Nothing has changed—HTTP still has the same problems it always has. But enough websites have moved to HTTPS that it’s time to warn users about HTTP and encourage website owners to stop dragging their feet. The move to HTTPS will make the web faster while improving security and privacy. It also makes public Wi-Fi hotspots safer.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.