It's happened: current Chrome is warning users about insecure pages

First transition in Google's HTTPS-everywhere plans is done

By Mike on 2nd Sep 2016

It's happened. Today Chrome's stable channel was updated with a new HTTPS UI. The changes in these versions of Chrome (Chrome 53 for Windows, Mac users got them in Chrome 52) complete 'transition 1' in Google's HTTPS plans, first announced in December 2014:

T1: Non-secure origins marked as Dubious

In other words:

Chrome now explicitly tells users non-HTTPS sites aren't private.

If a Chrome user visits a site that isn't private - for example, there's no HTTPS, broken HTTPS, or HTTPS only on 'checkout' pages - Chrome now displays a mid-grey colored info box:

In the case above, Chrome is warning you before American Apparel lets whoever runs your WiFi access point know what underwear you're about to purchase.

Clearer identity for EV

The new stable vesins of Chrome also have a clearer identity display for certificates that have been through extended validation: the verified legal entity (in most cases, a company name) is simply displayed in front of the address, without background.

The new Chrome EV UI is higher contrast, much easier to read that the previous version and looks similar to what Microsoft Edge does:

At CertSimple we've already updated the certificate previews we use for Chrome users to reflect the changes.

What's next

The next steps of Google's plans is simple:

T2: Non-secure origins marked as Non-secure

Ie, the grey exclamation mark will get redder as more sites begin to update and HTTPS market share increases

After that, https becomes a regular part of the web, i.e., we don't bother displaying https:// or the green lock anymore, because all websites should have them:

T3: Secure origins unmarked

The timelines for this are fluid but T2 is coming and if you're not on HTTPS - properly, not just for your checkout pages - you need to get on it. Also: site-wide HTTPS gets an SEO boost.

Still not on HTTPS?

You can pick up free DV HTTPS certs from Let's Encrypt, CloudFlare, or Heroku.

If you have an active registered company and want to prove your identity with EV HTTPS, give CertSimple a try - we're an EV-only HTTPS provider that specialises in helping you pass through the required background checks as painlessly as possible!

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!