Since February, Google has planned to brand non-HTTPS sites as “Not Secure,” and today, with Chrome 68, that change is being rolled out to a wide audience.
With the change, every site now gets a label in its address bar: “Secure” if the site is loaded over HTTPS, “Not Secure” otherwise. In September, Google will make another change and remove the “Secure” label, marking the transition to a world where secure HTTP is the default rather than the exception.
Most major online sites and services do now support and default to HTTPS. Correctly configured, servers should redirect any attempt to access a page over insecure HTTP to secure HTTPS, ensuring that a site cannot be intercepted or tampered with. However, Troy Hunt—creator of the Have I Been Pwned service—has found that a number of popular sites can still serve content insecurely.
Sometimes this is because a site doesn’t redirect at all from HTTP to HTTPS; other times it can be more subtle, such as certain pages allowing HTTP even when the site is otherwise configured correctly. This includes some very high traffic domains, such as Chinese search engine baidu.com, Twitter’s URL shortener t.co, and the BBC’s international website bbc.com. Whatever the cause of these misconfigurations, the result is that even though they’re normally served securely, a bad or malicious link could result in someone visiting the sites insecurely.
There are even some sites with a completely broken configuration. For instance, the UK’s Daily Mail, dailymail.co.uk, is presently using an incorrect certificate for its SSL version, meaning that only the insecure version is available.