Chrome will mark all HTTP sites as “not secure”

Profile image of Mattias Geniar

Mattias Geniar, February 09, 2018

Follow me on Twitter as @mattiasgeniar

If you hadn’t already, it’s time to make “HTTPS by default” your new motto.

[…] within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

Source: Chromium Blog: A secure web is here to stay

Visually, every site on HTTP will be marked as “not secure” next to the address bar.

This essentially means:

  • Your site will need HTTPS (x509 certificates needed)
  • You’ll want to make sure you monitor for mixed content (HTTP resources on a HTTPS site)
  • You’ll need to be aware of certificate expirations & renewals

A few years ago I wrote about “the real cost of ‘S’ in HTTPS", about how you only need a single error in your HTTPS setup or content to make your site unusable for visitors. HTTPS is a “it either works 100% or it doesn’t at all” type of configuration.

Luckily – _and largely inspired by that blogpost and the general adoption of HTTPS – _there are tools like Oh Dear! that help monitor your SSL/TLS certificates, scan for mixed content & report general errors of your HTTPS stack.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.