Connect with us

Hi, what are you looking for?


Network Security

Chrome to Mark HTTP Connections as Non-Secure

Starting in January 2017, Chrome will mark HTTP sites as non-secure when they transmit sensitive information such as passwords or credit card information, Google said this week.

Starting in January 2017, Chrome will mark HTTP sites as non-secure when they transmit sensitive information such as passwords or credit card information, Google said this week.

The Web browser already signals the security of a connection through an icon in the address, bar but hasn’t explicitly labelled HTTP connections as non-secure. That will change early next year when Chrome 56 is scheduled to arrive. The long-term plan, Google says, is to mark all HTTP sites as non-secure.

At the moment, Chrome indicates HTTP connections with a neutral indicator, but that “doesn’t reflect the true lack of security for HTTP connections,” Emily Schechter, Chrome Security Team, Google, explains in a blog post. Because HTTP is not secure, when the user loads a website over HTTP, an attacker on the network could look at or modify the site before the user accesses it, Schechter says.

Sensitive information such as login credentials and credit card information represent the kind of data that users wouldn’t want to be compromised over HTTP. Also fearing that login pages can be manipulated by Man-In-The-Middle (MiTM) attacks when sent over a non-secure connection, Mozilla in January updated Firefox to warn of password requests over HTTP.

The upcoming change in Chrome will be another step that Google takes in its continuous push towards more secure web traffic. As Schechter notes, a “substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing.” However, just over half of the Chrome desktop page loads are now served over HTTPS, while the others remain on HTTP.

Once Chrome starts labeling HTTP sites more clearly and accurately as non-secure, users might become more aware of the danger these websites pose. The lack of a “secure” icon isn’t perceived as a warning, but the risk is to turn users blind to warnings if they occur too frequently. Thus, Google will label HTTP connections as non-secure gradually, beginning with Chrome 56, which will flag pages with password or credit card form fields only.

“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” Schechter continues.

Advertisement. Scroll to continue reading.

Last year, Google announced that it was boosting HTTPS pages in search results, in an attempt to encourage webmasters to improve their site’s security. Earlier this year, the company also started monitoring the use of HTTPS on top 100 sites. This push towards HTTPS has already paid off, with announcing in April free HTTPS to all hosted sites.

Site owners are encouraged to move to HTTPS as soon as possible. “HTTPS is easier and cheaper than ever before, and enables both the best performance the web offers and powerful new features that are too sensitive for HTTP,” Schechter says. Courtesy of open Certificate Authorities such as Let’s Encrypt, HTTPS certificates can be grabbed for free.


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...