Chrome will mark all HTTP sites as “not secure”

Mattias Geniar, Friday, February 9, 2018

If you hadn't already, it's time to make "HTTPS by default" your new motto.

[...] within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

Source: Chromium Blog: A secure web is here to stay

Visually, every site on HTTP will be marked as "not secure" next to the address bar.

This essentially means:

  • Your site will need HTTPS (x509 certificates needed)
  • You'll want to make sure you monitor for mixed content (HTTP resources on a HTTPS site)
  • You'll need to be aware of certificate expirations & renewals

A few years ago I wrote about "the real cost of 'S' in HTTPS", about how you only need a single error in your HTTPS setup or content to make your site unusable for visitors. HTTPS is a "it either works 100% or it doesn't at all" type of configuration.

Luckily -- and largely inspired by that blogpost and the general adoption of HTTPS -- there are tools like Oh Dear! that help monitor your SSL/TLS certificates, scan for mixed content & report general errors of your HTTPS stack.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *