Google has announced it is changing the way it marks up secure HTTPS pages, removing the green padlock.
The web giant explained in a blog post at the end of last week that “users should expect that the web is safe by default,” and so will only be told in future if they site they’re visiting is not secure.
“Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69),” wrote Chrome Security product manager, Emily Schechter.
“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red ‘not secure’ warning when users enter data on HTTP pages.”
The move could confuse consumers looking out for a padlock in the short term, but ultimately should be seen as a positive move in forcing businesses to improve the security of their sites, argued Venafi VP EMEA, Craig Stewart.
“However, as we’ve already seen from the depreciation of SHA-1 certificates, organizations are typically slow to react to warnings of this kind and can often underestimate the task at hand. Many organizations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of,” he added.
“Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates.”