Google Expands Use of Not Secure Warning in Chrome

If you have forms, login fields or other input sections on HTTP pages, Chrome will start marking them “Not secure.” Fix the problem before you’re marked!

If you have forms, login fields, or other information input sections on your HTTP site, keep reading. Chrome will start marking these pages as “Not secure” in October 2017.

On August 17, Google sent an email to sites with forms/input fields on unsecured web pages notifying them of what’s to come. This news isn’t necessarily groundbreaking, as Google started this initiative as early as January when they began marking HTTP pages as “Not secure” if they had password or credit card fields.

In their notification via Google Search Console, Google wrote, “Beginning in October 2017, Chrome will show a ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode…The new warning is part of a long term plan to mark all pages served over HTTP as ‘Not secure.'”

To fix the problem and avoid being marked as “not secure,” Google advised site owners to migrate to HTTPS.

Why is Google expanding the scope of “Not secure” warnings? Security has always been an important issue for Google and the search engine gives HTTPS sites a slight boost in search results.

“Passwords and credit cards are not the only types of data that should be private,” writes Emily Schechter of the Chrome Security Team. “Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the ‘Not secure’ warning when users type data into HTTP sites.”

Here’s an example of how a user’s address bar will change when they start filling out a form on an HTTP site:

Sites that refuse to increase their security could miss out on over half of the web browsing population. After all, would you proceed to a site and provide any information, personal or not, if your browser warned you it wasn’t secure? Chrome currently holds about 47% of desktop browser market share and 51% of mobile browser market share, reports NetMarketShare. There’s a good chance at least half of your customers use Chrome as their primary browser.

If your site collects any sort of sensitive information and is not on HTTPS hosting, it’s time to make a change.

In the short term, start by securing pages on your site that request sensitive information. Long term? Use HTTPS everywhere. According to Google’s Developer Blog, Chrome will eventually show a ‘Not secure’ warning for all pages served over HTTP, regardless of whether or not they contain sensitive input fields. If you’re not sure where to begin, GPO can help with a step-by-step guide for transitioning your site to HTTPS.