HTTPS: What ‘Not Secure’ means, and why the label is good for the web
With version 68 of Chrome, which is coming out this week, Google will start labelling any site that doesn't use HTTPS encryption as 'Not secure'. But what exactly is HTTPS, and why is Google naming and shaming sites that don't use it?
To be clear, the Chrome browser will still let you access these ‘Not secure’ sites. You’ll still be able to browse them in the same way that you’ve always done.
But the hope is that this ‘Not secure’ label will provide enough bad publicity for sites that they’ll be incentivised into building HTTPS support into their sites by default.
This is just one part of a larger trend by Google to try and make encrypted web traffic the default rather than the exception.
Chrome 69, which is set to roll out in September, will take away the ‘Secure’ label from HTTPS sites to make them look normal rather than particularly secure, and then Chrome 70, set for release in October, will add further emphasis to the ‘Not Secure’ label by turning it red, and drawing more attention to it.
If this sounds like it’s all taking a lot of time then you’d be right. The problem is that HTTPS support isn’t a simple thing for websites to add, and the process can take months for larger organisations.
But that doesn’t mean it’s not worth doing. Encrypting web traffic is very important, and is something that keeps the whole internet safe and secure.
HTTP vs HTTPS
So what’s the deal with HTTPS, and why is it so much better than HTTP?
HTTP is one of the most important building blocks of the internet. Websites are written in HTTP, so almost everything you’re reading right now has been constructed and transferred using it.
The problem is that it’s not encrypted, meaning that anyone who controls a part of the network connecting you to this website can snoop in on you.
But that’s not the only problem. CNET notes that using HTTP means people can meddle or insert ads into the content that you’re viewing, use invisible software to mine cryptocurrencies, or even redirect you to trick you into giving away your passwords to a malicious site.
By encrypting your traffic, HTTPS stops these sorts of attacks in their tracks. No protocol is 100% secure, but it means that someone has to work a great deal harder to compromise your information.
Google’s move may appear to be a small one, but it should act as further encouragement to get the wider internet on board with encryption.
In the meantime, if you want to make sure you’re using the HTTPS version of a website when it exists but isn’t the default (yes it’s strange, but it’s not uncommon) then we’d recommend installing the HTTPS Everywhere Chrome or Firefox extension.
How relieved are you about the change? Let us know @TrustedReviews.