Chrome to start shaming HTTP sites

Chrome will mark non-HTTPS sites that transmit passwords or credit cards as insecure from the start of next year to warn users against unencrypted connections.

Google's 56th version of its Chrome web browser, due out in January, will label HTTP login pages and credit card forms as 'not secure' in a grey window next to the address bar.

It's the first step in Google's long-term plan to stamp out unencrypted web connections. It will increase its warnings progressively to all HTTP pages, including in incognito mode, and implement the same red triangle icon it currently uses to alert to a broken HTTPS.

"Chrome currently indicates HTTP connections with a neutral indicator," Google security staffer Emily Schechter wrote.

"This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."

The changes are intended to prompt site owners to switch to HTTPS, which encrypts data in transit to prevent access by attackers.

Google in July introduced HTTP Strict Transport Security (HSTS) on its google.com domain to stop users accidentally navigating to insecure HTTP URLs.

Fellow tech giant Apple is also on the HTTPS campaign, telling app developers earlier this year that they will need to force HTTPS connections for iOS apps by the end of the year.