Bulletproof TLS Newsletter #38
Chrome will mark HTTP pages as not secure
28 February 2018
Author: Hanno Böck

This issue was distributed to 43,408 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Chrome will mark HTTP pages as not secure
  2. Short news

Chrome will mark HTTP pages as not secure

Google has been a major force in pushing HTTPS by default. For years, Google stated that the plan was to mark all HTTP connections as insecure in the Chrome browser eventually. However, this was a change that couldn’t happen overnight. It would have caused too many warnings for average Internet users, ultimately leading to warning fatigue.

But now, due to the rise in HTTPS connections, Google has decided that the time for a secure web by default has come. In July, with the release of version 68, default warnings for all HTTP web pages will land in Chrome.

This outcome was prepared over a long period. Chrome started by showing warnings on login forms and later extended that to all input forms. Also, many powerful web features like microphone access, geolocation, or HTTP/2 have been offered only via HTTPS. Mozilla has implemented similar measurements.

A blog post by Cloudflare’s Patrick Donahue provides a good overview of the path to a web that is HTTPS by default.

Short news