Google Chrome 69 Removes Secure Badge from HTTPS websites
“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue.”
With the release of Google Chrome 69, the Internet has reached a reasonable benchmark in its migration to HTTPS. As such, Google is changing its UI—taking a new approach.
A few years ago, Google made encrypting the entire internet one of its core goals. An encrypted internet is a safer internet, owing to the security of the connections facilitated by HTTPS and the potential malfeasance those prevent.
To help spur this initiative Google incentivized migrating to HTTPS. In 2014, it announced that having an SSL certificate installed and serving your site over HTTPS was an SEO ranking signal. Since then Google and the other browser vendors have made new features exclusive to HTTPS sites and restricted some legacy features from HTTP sites.
More recently, and more impactfully, Google added a unique visual indicator to its address bar—its biggest incentive yet. Up until this point, the standard UI for an HTTPS site was simply a padlock icon and the protocol, https:// listed at the start of the URL. To try and entice more websites to migrate, Google began adding a “Secure” badge in the address bar.
This had some rather unintended consequences as it ended up aiding phishing attacks by lulling Chrome users into a false sense of security. HTTPS phishing has exploded in the year since Google changed its UI. At one point last Fall, 1.4 million new phishing websites were being created each month.
But Google was willing to accept imperfection because it felt that the net positive was far greater. Now, with an appropriate threshold of the Internet using SSL/TLS, Google has decided to reverse course and remove the Secure badge.
This marks a major paradigm shift in Google’s approach. Up until this point Google has pushed sites towards its HTTPS mandate with incentives. Now it will go the other direction and begin actively penalizing websites that are still being served over HTTP.
Starting in Chrome 69, with the exception of the Extended Validation green bar, the standard treatment for HTTPS will just be a gray padlock. No protocol at the start of the URL, no Secure badge. Just a padlock.
Eventually, even the padlock will go away, and you’ll be left with just a domain name and a TLD. But for now, the padlock remains.
The warnings have escalated though. A website that is being served via HTTP will receive a “Not Secure” badge with an encircled exclamation point from now on. And starting next month with the release of Chrome 70, should a user attempt to input text on an HTTP site the warning will turn an angry shade of red.
Google is done asking politely, now it’s making demands. If you’re not using SSL/TLS, Google is going to call your website out on it. And when Google issues a browser warning, the vast majority of internet users listen.
The deadline has passed, HTTPS is now mandatory.
Originally posted on Wed Oct 3, 2018