InfoSec Blog - Google to Start Labeling HTTP Sites as Insecure

March 23, 2018

Keeping your internet experience safe should be at the forefront of every web developers mind. Unfortunately, this is not always the case. In order to try and keep the internet safe, Google has commenced an initiative to motivate web administrators to make their sites more secure by making changes within Chrome to alert users when they are required to provide sensitive information in a potentially insecure site. Specifically, Google will mark HTTP websites as “Not Secure”. HTTP sites are not encrypted and leave sites vulnerable to injection attacks and the potential for data theft while data is in transit. 

What is happening now?

In July 2018, with the release of Google Chrome 68, all HTTP sites will be labelled as insecure.

In an effort to push all websites to HTTPS, Google has slowly pushed admins to switch through previously provided incentives, like higher search ranking to sites using HTTPS by default over sites using HTTP. 81 of the top 100 sites of the world have now switched to having HTTPS as a default and with this new announcement more should do the same. You can find a list of these sites in Google’s transparency report:

What can users do?

You may agree that all this information is useful, but what can you do as a user? 

  • Keep your browser up to date
  • Know how to recognize an HTTP vs. HTTPS site
  • Avoid entering sensitive information into HTTP sites

What can site administrators do?

Sites administrators should follow Google’s lead in this initiative and switch any HTTP sites to HTTPS. This process is straightforward and requires minimal effort for the administrator. As well, there are many tools available which are cost effective, and in some cases free, to assist in making the switch. For example, Google offers a tool called Lighthouse which can be used to audit your sites.


All of this and more can be found on the Google Security Blog:


Written by: Joao Bernardo (Coop Student, Information Security)