Chrome's Secure site flag is retiring this September
Google plans to change how it flags secure sites in Chrome, retiring its "Secure" indicator in favor of highlighting which pages don't support HTTPS. The decision, which will take affect in a later release of Chrome, flips the current system on its head.
"Users should expect that the web is safe by default," Emily Schechter, Product Manager of Chrome Security, said of the change, "and they'll be warned when there's an issue." Currently, Chrome has a green "Secure" indicator at the start of the address box, complete with a small padlock indicator. That shows up when a webpage uses HTTPS, which encrypts all communication between the site and the user's browser.
Chrome began showing warnings about sites that were using non-secure HTTP back in 2016, with Chrome 56. At the time, it was explained as a way to motivate page owners to transition to HTTPS, and thus hopefully prevent examples of data theft. That motivation – among other things – appears to have worked.
Indeed, Schechter says, while previously "HTTP usage was too high to mark all HTTP pages with a strong red warning" Google now believes that's no longer the case. As of Chrome 69, which is expected to be released in September 2018, the browser will no longer show the green "Secure" indicator. Instead there'll be a grey padlock icon.
Come Chrome 70, in October 2018, sites which still use HTTP will get a red "Not secure" legend, and a red warning triangle, when users begin to enter text on that page. "Since we'll soon start marking all HTTP pages as "not secure", we'll step towards removing Chrome's positive security indicators so that the default unmarked state is secure," Schechter explains. Eventually, there'll be no padlock symbol at all for HTTPS sites.
Although it's arguably a small change, Google's decision does have the potential to significantly affect how people think of the sites they use. Until now, you could say, the security of HTTPS has been an "added bonus": something admirable and thus worth flagging. However, moving forward the change in approach – to brand some sites as "Not secure" when they don't support HTTPS – will emphasize a security lapse instead.