Chrome will mark all HTTP sites as “not secure”

Oh Dear! monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Image of Mattias Geniar

Mattias Geniar, February 09, 2018

Follow me on Twitter as @mattiasgeniar

If you hadn’t already, it’s time to make “HTTPS by default” your new motto.

[…] within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

Source: Chromium Blog: A secure web is here to stay

Visually, every site on HTTP will be marked as “not secure” next to the address bar.

This essentially means:

  • Your site will need HTTPS (x509 certificates needed)
  • You’ll want to make sure you monitor for mixed content (HTTP resources on a HTTPS site)
  • You’ll need to be aware of certificate expirations & renewals

A few years ago I wrote about “the real cost of ’S’ in HTTPS”, about how you only need a single error in your HTTPS setup or content to make your site unusable for visitors. HTTPS is a “it either works 100% or it doesn’t at all” type of configuration.

Luckily – _and largely inspired by that blogpost and the general adoption of HTTPS – _there are tools like Oh Dear! that help monitor your SSL/TLS certificates, scan for mixed content & report general errors of your HTTPS stack.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.