Google Chrome will start to mark websites that transmit login data and payments unencrypted as 'not secure' in the browser. Google plans to mark all websites that don't use HTTPS as unsafe in the future, Google Chrome's security team writes in a blog.
Starting with Chrome 56, scheduled for January 2017, the browser will show an information icon with 'not secure' next to the URL. Currently Chrome indicates HTTP connections with a neutral indicator. Sites that use encrypted connections over HTTPS show a green icon.
According to Google the neutral indicator doesn't properly show the lack of safety for regular HTTP websites. These sites can be modified by someone else on the network before they reach the user. A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. Recently Google hit a milestone with more than half of Chrome desktop page loads served over HTTPS.
Because users don't perceive the neutral indicator as a lack of security and because users become blind for warnings, Google has decided to take the new measure which it will roll out gradually. Starting with Chrome 56 all HTTP pages with password or credit card form fields will be marked as "not secure". In following releases, Google will continue to extend HTTP warnings, for example, by labelling HTTP pages as "not secure" in Incognito mode, where users may have higher expectations of privacy.
Eventually, the search giant plans to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that is currently used for broken HTTPS.
