Sophos News

You have five months to switch your website to HTTPS

  • John E Dunn

    • As far as Google is concerned, unencrypted HTTP web connections should be nearing the end of the road.
    In 2014 at the I/O conference, it declared “HTTPS everywhere” as a security priority for all web traffic, followed in 2015 by the decision to downrank plain HTTP URLs in search results in favour of ones using HTTPS (where the latter was available).
    A year ago, it started labelling sites offering logins or collecting credit cards without HTTPS as ‘not secure’.
    In a symbolic moment, it has now confirmed that with the release of Chrome 68 in July, this label will be applied to all websites not using HTTPS.
    It’s a small change that streamlines the slightly confusing way Chrome denotes the presence or absence of HTTPS in address bars. From July, the ambiguous grey ‘i’ icon used to tag many non-HTTPS sites today will be supplemented by a clearer ‘not secure’ label. This will look like:

    Other browsers (Firefox, Edge, Opera) rely on green or grey padlock symbols to denote HTTPS sites, dropping back to more than one type of grey icon for non-secure HTTP.


    But Google’s Chrome is the only one to use words and not simply symbols and colours to denote the use of HTTPS.  Explains Google:

    Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default.

    Getting there?

    A look at Google’s figures suggests this strategy of coaxing website owners and users to see HTTPS as important is working, with 68% of Chrome traffic on Android and Windows connecting to HTTPS sites. Eighty-one of the top 100 web destinations use it by default.
    Some surprisingly big sites such as the BBC apply it inconsistently, using HTTPS for its homepages but dropping back to HTTP for individual content pages (compared to, say the New York Times, which uses HTTPS for everything).
    But as more and more sites adopt HTTPS, history suggests getting the last few percent of holdouts to sign up might take a while.
    Google’s other problem is the old adage about being careful what you wish for: criminals have been seen to exploit HTTPS to gain the trust of users.
    No matter how worthy Google’s dream of HTTPS everywhere, there’s still a lot of work ahead.