Chrome will mark all HTTP sites 'not secure' from July

Google's Chrome web browser will mark all HTTP sites as "not secure" from July this year.

The company is on a long-term drive to stamp out unencrypted web connections, having begun to demote unencrypted sites in search results in 2015. Last year it started labelling HTTP login pages and credit card forms as 'not secure'.

At the moment Chrome displays HTTP connections with a neutral 'information' indicator in the address bar.

However from Chrome version 68, the browser will explicitly call out all HTTP sites as 'not secure'. 

Image credit: Google

The changes are intended to prompt site owners to switch to HTTPS, which encrypts data in transit to prevent access by attackers.

Google in July introduced HTTP Strict Transport Security (HSTS) on its google.com domain to stop users accidentally navigating to insecure HTTP URLs.

Google said increased adoption of HTTPS had prompted it to make the move on HTTP sites; it said 81 of the top 100 sites now default to HTTPS.

“Based on the awesome rate that sites have been migrating to HTTPS and the strong trajectory through this year, we think that in July the balance will be tipped enough so that we can mark all HTTP sites," Chrome security product manager Emily Schechter said in a blog post.

Google offers its own Lighthouse tool for migrating a website to HTTPS. Automated services such as Let's Encrypt are similarly intended to take the headache of migration.

Chrome holds 59 percent of the global browser market share across mobile and desktop, according to NetMarketShare.