As announced in February this year, Google Chrome’s design is being evolved to more clearly indicate to users that websites using plain HTTP are not loaded securely and that HTTPS connections should be expected instead. Today, Chrome is pushing a change that affects all HTTP sites worldwide: starting in version 68, Chrome will display a “Not Secure” warning in the address bar for all sites loaded over HTTP.

This isn’t the first change Chrome has made to clearly indicate that HTTP is not secure. Chrome has been marking HTTP traffic as “Not Secure” in Incognito mode as far back as version 62. The “Not Secure” warning has also been appearing for HTTP sites in Chrome’s normal mode when a page contains a password field or when the user interacts with any input field.

Although Chrome has taken the lead, Mozilla Firefox is also on board with the effort to visually flag HTTP pages as insecure. Firefox currently displays an address bar warning for HTTP sites that contain login forms and displays a visible warning message next to login forms that are served insecurely.

What’s Next

The future will bring more changes for the way Chrome visually handles HTTP and HTTPS connections. As I covered back in May, Chrome is scheduled to remove the “Secure” text from HTTPS connections in September with the release of Chrome 69. One month later, in October 2018, Chrome will color the HTTP “Not Secure” warning red when users enter data into insecure sites in Chrome 70. Ed: A previous version of this post inaccurately reflected the circumstances in which the “Not Secure” warning will be colored red in Chrome 70. The color will only change when users enter data on HTTP pages.

Today, the Google Chrome security team announced the next step in their plan for handling plain HTTP pages in Chrome. Over the past couple years, the Chrome team has been slowly increasing the negative visual feedback users get when they interact with unencrypted HTTP sites, and back in February 2018 the team announced a plan to eventually mark all plain HTTP pages as “Not secure” in the address bar. That visual change is still scheduled to take effect in July 2018, but the team has already announced another big change, this time to the way Chrome visually handles already-secure HTTPS sites.

A Little Less Carrot, and a Little More Stick

Starting in September 2018, Google Chrome will no longer display the word “Secure” in the address bar for sites that support HTTPS. The rationale behind this change is that users should only be warned when a site is not loaded securely. Otherwise, users have to look for the absence of a padlock or the “Secure” text, and an obvious warning about insecure content is generally more noticeable than the lack of a positive visual indicator. As shown in the screenshot below, the padlock icon will still stick around for awhile longer, although it will no longer be colored green.

Later, in October 2018, the forthcoming “Not secure” warning on HTTP pages will turn red when users try to enter data into any form loaded over HTTP. Currently, the “Not secure” warning is only shown on HTTP pages with password forms, and when shown it is colored grey to match the site’s URL.

Still a Controversial Change

Google’s significant push towards universal adoption of HTTPS has not been without controversy. It’s generally accepted (for fairly obvious reasons) that sites handling the submission of sensitive data — like passwords and credit card numbers — should use HTTPS, but advocates of universal HTTPS suggest that even the most insignificant sites can still benefit from encryption.

For one, some sites still only use HTTPS for their login pages and serve the rest of their content over HTTP, which can open users up to very real attacks like session hijacking. Also, since all HTTP traffic is sent over the Internet completely unencrypted, it can be modified in transit, censored, scraped for tracking purposes, or have advertisements injected into it. While rare, ad injection by ISPs is very real, and the fact remains that HTTP traffic can be snooped on by anyone from local Wi-Fi hijackers to national governments.

On the other hand, opponents of universal HTTPS raise several complaints. Some claim that HTTPS is simply not needed for sites that do not handle sensitive data and do not care what happens to their content in transit. Others suggest that deprecating HTTP will kill off old, unmaintained websites from the 90’s and early 2000’s that contain valuable information and will likely never be migrated to HTTPS.

Mainly, opponents claim that Google is exercising an unreasonable amount of monopolistic authority over the future of the Web. Google has already been using HTTPS as a positive ranking signal in its search results since 2014, and as a company it does have a significant amount of influence over the Web.

An Ideological Dispute

At some level, the pro-vs-anti-HTTPS debate boils down to an ideological dispute over who should control the future of the web. Proponents claim that universal HTTPS is genuinely in everyone’s best interest, while opponents rankle at the thought of the Web being influenced by Internet companies rather than being the free-to-enter, open-to-everyone system that they feel it began as. Realistically, Google isn’t the only major company backing universal HTTPS, and with the amount of support behind the movement it’s unlikely to show any signs of slowing down.