The Chrome browser’s upcoming versions will focus on highlighting its negative security indicators, even going as far as sunsetting its positive ones.
Chrome Security Product Manager Emily Schechter has announced in a blog post that Chrome 69, which will be available in September, will stop marking HTTPS sites as “Secure” on the address bar. Why? Well, because Google wants the default state to be secure.
Emily Schechter, explained that the company is now comfortable making this move as a large chunk of Chrome’s traffic is now via HTTPS.
Since most traffic is HTTPS anyway, it’s not necessary to draw the user’s attention to the “Secure” indicator anymore.
Instead, Chrome will focus on highlighting situations when the user is accessing an insecure HTTP website. That’s why, Google will be marking all HTTP sites as “Not Secure” starting with Chrome 68, set for release in July.
Although, the “Secure” indicator in Google’s UI was never really good idea. Even if it was well-intentioned, because its proposed as a way to incentivise switching to HTTPS, it has instead made phishing websites more effective by adding a “secure” label in the address bar despite the site’s nefarious nature. And now it seems that Google has gotten enough buy-in to remove the indicator, which should help deal a blow to phishers the world over.
Google has been pushing the web to HTTPS for years, but it accelerated its efforts last year by making changes to Chrome’s user interface. Chrome 56, released in January 2017, and started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, and started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.”
With the release of Chrome 68 in July, here is what HTTP sites will look like in the address bar:
From the image of how the new UI will look, it shows that Google has also eliminated the protocol at the beginning of the URL. It used to start with “https://…,” which now be omitted.
With the release of Chrome 69 in September, HTTPS sites will no longer sport the “Secure” wording:
The new neutral UI, explains an extended validation what will only the kind of SSL certificate that will receive any kind of indicator. The removal will start in Chrome 70, which will be released in October, where Google will begin adding a more intense “Not Secure” indicator whenever you start entering text into an HTTP page.
Mozilla and the other browser vendors likely follow suit in the coming months.