July 25, 2018 HTTPS, encryption, Chrome

Chrome started marking all HTTP websites as Not secure yesterday (on my birthday, what a gift!) with their release of Chrome 68. The treatment is not a red warning yet, just a gray (i). And there's a lot of busy czech websites getting that treatment. And how did we get here anyway and what's next?

Not secure | www.ceskatelevize.cz/moje-ct/

Czech Television in Chrome 68

Chrome's treatment is pretty visible already, and while other browsers also display similar warnings, you still have to click. Like for example in Firefox, which will probably follow Chrome soon, and Safari will follow too, but there's no date yet.

www.ceskatelevize.cz Connection Is Not Secure

Czech Television in Firefox 61

Some of the rather busy Czech websites that don't speak HTTPS or are not redirecting users to HTTPS are:

Troy Hunt and Scott Helme have created a list of another 50 Czech sites who couldn't care less about Not secure (and their visitors). The list is called Why No HTTPS? and of course there are other countries as well. Like Slovakia. I guess those sites will eventually migrate to HTTPS but it requires an industry-wide push.

How was the journey?

Frankly speaking, they had a lot of time to migrate to HTTPS. Let's look at the push from Google's point of view:

August 2014: Google announced HTTPS as a ranking signal for their search engine. A very lightweight signal but a smart move nonetheless.

September 2016: Google said that in January 2017, Chrome will start marking HTTP sites as Not secure if there's a password or a credit card form field.

Login pages in Chrome 53: login.example.com; in Chrome 56: (i) Not secure | login.example.com

Chrome marks HTTP pages with login or payment card fields as Not secure since January 2017 (source)

April 2017: there was an announcement saying that starting October 2017, Chrome will mark pages as Not secure once user enters any data into HTTP sites. All HTTP pages loaded in Incognito mode will get the Not secure treatment.

HTTP pages in Chrome 58: example.com; in Chrome 62 when entering data or when in Incognito mode: (i) Not secure | example.com

Starting October 2017, Chrome marks HTTP pages as Not secure when entering data or when in Incognito mode (source)

February 2018: we learned that Chrome will mark all HTTP pages as Not secure in July 2018, with a gray (i) yet.

HTTP pages in Chrome 64: example.com; in Chrome 68: (i) Not secure | example.com

Chrome displays the Not secure for all HTTP pages since yesterday (source)

And here we are, in July 2018. Good job and thanks everyone who got us this far! Just a few years ago, I couldn't imagine this and thought it won't happen in my life time. Seriously, I got goose bumps when I was talking about it on one of my trainings.

By the way, the dates above are not random. The changes are driven by Chrome telemetry like percentage of pages loaded over HTTPS. In USA, 84% of all pages are loaded over HTTPS, 66% in Japan. If the numbers would be lower, there would be no changes like this because people would see Not secure too often and would start ignoring it. In Firefox, the percentage of pages loaded over HTTPS is similar.

Right, a page is not a website. If you use Facebook or Gmail the whole day it's multiple pages, but just one or two sites. Some time ago, I tried to guesstimate how many of Czech sites are on HTTPS and the result was 20–30%.

What the future holds?

In September this year, you'll see a gray lock instead of a green one in Chrome, and the Secure wording will be removed. Eventually, even the gray lock will disappear, too.

HTTPS pages in Chrome 69: 🔒 example.com; eventually: example.com

The Secure wording will be removed in September and the green lock will be replaced with a gray one and eventually disappears (source)

October will see that gray (i) in front of Not secure turn into a red triangle with an exclamation mark when user will start entering data into a page loaded over HTTP.

HTTP pages eventually: ⚠ Not secure | example.com

Eventually, all HTTP pages will be treated with red ⚠ Not secure (source)

There's no date set but eventually, all pages loaded over HTTP will be marked as Not secure, with a red triangle, while all HTTPS pages will get no special treatment. And that's right. HTTPS is the new HTTP, and should be everywhere. Yes, your static site needs it too. So, are you ready?

The future is here

You can already try some of the changes listed above.

Want the eventual red ⚠ Not secure? Change the setting in chrome://flags/#enable-mark-http-as to “actively dangerous”.

Don't like that Secure wording and want only the lock? Or want to see how your browsing habits will (not) change when the special EV treatment (a company name displayed next to the padlock) disappears? Try different options in chrome://flags/#simplify-https-indicator.

Think https:// in the URL bar is dumb? And what about that www? Just flip chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains to hide them. For Mac, this flag requires MacViews, you can enable that in chrome://flags/#secondary-ui-md.

Firefox has similar settings in about:config: enable a strike-through lock for all HTTP pages with security.insecure_connection_icon.enabled (with security.insecure_connection_icon.pbmode.enabled for private windows only), and Not Secure for HTTP pages can be enabled with security.insecure_connection_text.enabled (Not Secure for private windows only with security.insecure_connection_text.pbmode.enabled).

But remember, these hidden settings might change or be removed completely in the future releases without any previous warning.


Recommended reading

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(December 11–12, 2018 Praha)

HTTPS for developers and admins
(December 13, 2018 Praha)