Chrome To Remove 'Secure' Label For HTTPS Websites

Google announced that its security indicators for HTTPS and HTTP pages will change starting this fall, in versions 69 and 70 of Chrome. HTTPS websites will not longer be shown as "Secure," while HTTP pages will be shown as "Not Secure" in red font, when users enter data.

Evolution Of Web Security Indicators

Over the past couple of years, both Chrome and Firefox have started encouraging web developers to adopt HTTPS encryption by giving them small incentives such as showing their websites’ address next to a padlock icon with a “Secure” label in green. This was supposed to make users trust these websites more, because the data exchange between the user and the server would be encrypted.

Since then, and due in no small part to the Let’s Encrypt project, which is backed by Mozilla, EFF, and others and has been offering free HTTPS certificates to everyone, many more websites have adopted encryption.

Now, Google believes that users should expect that the web is “safe by default.” Therefore, users shouldn’t need bright green labels and padlocks to know whether or not the website they visit is secure.

Chrome 69 To Lose The “Secure” Label

Starting with Chrome 69, which should land this September, Google’s browser will lose the green “Secure” wording, and its padlock will turn from green to grey. The company added that eventually Chrome will also use the padlock, too, and all you’ll see will be the web address without HTTP, HTTPS, or any other label or symbol next to it.

It’s possible Google also doesn’t want internet users to believe that a site is “secure” just because it's using HTTPS encryption. A site could use HTTPS encryption and then still lose all of your account data to hackers due to poor server security hygiene. HTTPS encryption only guarantees that your connection to the site is secure, but it says nothing about how secure your data is on a company’s server.

Chrome 70 To Add “Not Secure” Warning In Red

Chrome 56 started showing users a “Not Secure” warning in grey on login pages. Starting with Chrome 70, this fall, users will see a “Not Secure” warning in red when they enter data on HTTP pages. The HTTP pages will also be labeled “Not Secure” in grey at all times.

Perhaps the most controversial change in Google’s announcement is Google’s statement that users should expect the web to be safe. Whether we’re talking about HTTPS, PGP, S/MIME, or other encryption and security protocols, it may not serve users to hide what protocols are being used to protect their data. At the end of the day, this is also an issue of transparency, and users deserve to know how their traffic and data are protected.

Google expects that when the “Secure” label and padlock are gone, users will continue to believe that the same sites are just as secure. However, this may not happen because users have been trained for decades to expect no security unless claimed otherwise.

This thread is closed for comments
    Your comment
  • derekullo
    "users should expect that the web is “safe by default.” "

    Just like the ocean is safe by default ...
  • bobba84
    This is absolutely ridiculous. Just another reason to use firefox.
  • anbello262
    2620006 said:
    This is absolutely ridiculous. Just another reason to use firefox.

    (Disclaimer: I don't mean this as a personal attack, just using your comment as a general example)

    I get the feeling this is too much outrage over a very simple detail. Just a minor change in colouring, and eventually it is supposed to go away anyways (since ALL sites are expected to use https eventually).
    This will only have some real impact for web owners (even less traffic for http sites), not so much for users, in my opinion.