Bulletproof TLS Newsletter #43
Chrome now says “not secure” for HTTP web pages
31 July 2018
Author: Hanno Böck

This issue was distributed to 46,173 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Chrome now says “not secure” for HTTP web pages
  2. Short news

Chrome now says “not secure” for HTTP web pages

With its recently released version 68, the Google Chrome browser introduced warnings on all web pages not using HTTPS. A “Not secure” label appears to the left of the URL for every page loaded over HTTP.

This step was announced in February, but it’s been expected for quite a while. Google aims to make HTTPS the default on the web and eventually wants to remove “positive” security indicators like the green lock.

Right now, the warning is still in its mildest versions. Future versions will likely contain a red warning sign, as Google has explained previously.

On the day Chrome enabled the warnings by default, security researchers Troy Hunt and Scott Helme started the Why No HTTPS? Project, which lists popular web pages that don’t default to HTTPS yet and also can show them sorted by country. The most popular page not defaulting to HTTPS is the Chinese search engine Baidu; the most popular non-Chinese page in the list is Twitter’s URL shortening service, t.co.

Short news