The Web can be a pretty scary place. The power and information it gives users is also available to those with less benign intentions. Browser makers have long been trying to make the Web safer, only to be foiled by user browsing habits on end and websites’ poor security practices on the other. Google, for its part, has given developers and administrators enough time to get their act together. But enough is enough and starting July this year, the Chrome web browser will mark all websites still using HTTP instead of HTTPS as “Not Secure”.
HTTPS, also known as HTTP Secure or encrypted HTTP, has been around long before Google made its push years ago. Many website owners and web app developers, however, have foregone making the transition mainly because of two reasons. The first was that moving to HTTPS was initially difficult and expensive. The second was that there wasn’t exactly any industry push for the change. Both are no longer true today.
For years, Google has been carrying on what is practically a shame campaign on some HTTP sites, marking them in Chrome as insecure to raise awareness of both users and owners. It may have been effective. Google boasts that, today, over 68% of Chrome traffic on all operating systems are protected via HTTPS and 81 of the top 100 websites now use HTTPS by default.
That pretty much means it’s time to finally flip the switch. Starting with version 68 of Chrome in July, every and all HTTP sites will be marked as insecure. Hopefully that will be enough to scare off users, though, given human frailty, it might not. Still, it’s a step that must be taken.
Google isn’t throwing developers out in the cold, of course. It has been providing them with the tools and means to make it easier to embrace HTTPS. Or, at the very least, be aware where potential holes are. A new audit feature in its open source Lighthouse tool will not only pinpoint which resources are loading via HTTP, it will also tell them which ones can easily be fixed by simply changing HTTP to HTTPS.