Why Google Chrome is flagging millions of sites as ‘not secure’

Google’s online web browser Chrome is flagging countless websites as “not secure” following the roll-out of a new security feature yesterday.

The update, dubbed Chrome 68, flags any site that does not feature HTTPS (hypertext transfer protocol secure) encryption, a security measure that scrambles signals to and from the site in order to prevent spying.

Users are still able to access unencrypted websites without interference, but Chrome will display a “not secure” sign on the left-hand side of the address bar at the top of the screen.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Clicking on the sign leads to a drop down menu that warns users “against entering any sensitive information into the page, like personal details and credit card info”, says TechRadar.

According to the BBC, “more than half” of the internet’s top million websites are not equipped with HTTPS encryption. The Daily Mail online is the UK’s busiest unencrypted site.

The broadcaster adds that “there is no evidence” to suggest such sites “are currently subject to attacks that abuse insecure data”.

Google hopes its new warning system will gradually push all websites to HTTPS encryption, says CNet. The first attempt to flag non-secure websites was in 2016, when Chrome began issuing warnings to users when they entered a site that didn’t secure passwords or personal details correctly.

In September, Google will introduce another update, Chrome 69, which will change the green hue around “secure” websites to black. This will be followed by version 70 in October, where the “not secure” warning sign will change from black to red.

Is your data secure?

That depends on how users interact with a non-HTTPS website.

According to Wired, all information sent to websites without encryption “can be intercepted by a hacker or other bad actor”. In the most extreme cases, hackers steal confidential information by using a fake website that appears to be legitimate.

There are also privacy implications, the tech news site says. Hypothetically speaking, both an internet service provider (ISP) and a bad actor can monitor a user’s activity on sites that are not encrypted.

The BBC says that “many sites are now rapidly adopting HTTPS as a result of a growing consensus around its use”, and notes that Chrome’s new flagging system may help speed that process.

In the meantime, users accessing “not secure” websites are advised to be wary of submitting personal details.