Secure? Or Not secure?

The latest version of the Google Chrome browser, version 68, introduced a new “Not secure” warning in the address bar that appears anytime you are visiting an insecure web page.

The reason you are seeing the “Not secure” warning is because the web page or website you are visiting is not providing a secure connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure). Any page providing an HTTP connection will cause the “Not secure” warning.

Why is my browser warning me with “Not secure”?

The warning refers to the lack of security for the connection to that page. It’s basically saying that the page you’re visiting is not protected. Therefore, anyone with a decent technical know how, that have no business knowing, CAN potentially steal or monitor what you are doing on the website.

This “Not secure” warning appears on all pages using the HTTP protocol, which has has been the default internet communication protocol prior to this change. All that has changed is that, moving forward, pages that has not been encrypted will be labeled as “Not secure”.

Over the last few years, websites have been transitioning to HTTPS — which pretty much means HTTP Secure. In a blog post announcing the change, Google described it as “a milestone for Chrome security.”

Do note however, that just because you are seeing the “Not secure” warning, it DOES NOT mean that your computer or the site you are visiting is affected by malware. It only serves to alert you that you do not have a secure connection with that page. Note that some websites may only support secure HTTPS connections on some pages, but not all; in these cases you may see the “Not secure” warning on only the insecure pages.

Quick Facts: What’s HTTPS?

HTTPS is HTTP with encryption. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://.

Image by CloudFlare – HTTP vs. HTTPS
Image by CloudFlare – HTTP vs. HTTPS

If you’re a website owner, or a website developer…

The “Not Secure” warning is being displayed on any page served over HTTP, which is an insecure protocol. If you are seeing this warning on a site you own or operate, you should resolve it by enabling the HTTPS protocol for your site

HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. Using HTTPS requires that you purchase an SSL certificate(s), and then you can install that certificate and enable the HTTPS protocol on your web server.

Just do it.

If you are the technical administrator or developer for your site, there’s almost no good reason for you to not enabling HTTPS on your websites by now. You should begin by assessing if you currently have any support for HTTPS. If you do not have HTTPS deployed at all, start by using figuring out which SSL certificate you need. Your need will vary depending on how many domain names you operate and if you want your business to be validated for additional user trust.

HTTP websites shown as 'Not secure'
HTTP websites shown as ‘Not secure’

All major web browsers — including Google Chrome, Mozilla Firefox, and Apple Safari — have enabled user interface that will warn users about insecure pages. Therefore, it is important to support HTTPS both for the security benefits and for the optimal user experience. In addition, many new web technologies require HTTPS, and some of these can improve performance on your website.

If you’re a website visitor…

Firstly, there’s no reason to panic. Your device is safe, it has not been ‘hacked’, and you have done nothing wrong.

The reason you are seeing the “Not secure” warning is because the web page or website you are visiting is not providing a secure connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure).

All or nothing.

Any page providing an HTTP connection will cause the “Not secure” warning. You should avoid conducting any sensitive transactions on these pages — such as logging in, providing personal information, or payment information. Browsing insecure sites could put you at risk if you are viewing information that is dangerous or not condoned in your country.

As a visitor, you cannot fix the cause of this warning. The only way to solve the issue is for the website operator to obtain an SSL certificate and enable HTTPS on their site. This will allow your browser to connect securely with the HTTPS protocol, which it will do automatically once the website is properly configured.

If a site you frequently use is displaying the “Not secure” warning, you should contact them and ask them to start supporting HTTPS. You can also try manually replacing HTTP with HTTPS in the URL. However, this might not work most of the time. Some sites may have partial support for HTTPS, so it’s best if you notify them whenever you received such warnings.

Note that even with basic browsing over HTTP — such as looking at recipes or reading news — what you are looking at can be monitored, modified, and recorded by entities, such as your ISP or government. This effectively means you do not have any privacy when browsing such pages.

Be safe.

On public Wi-Fi networks, like at a coffee shop or airport, there is an additional risk from ‘local attackers’. With the right tools, they can view and monitor your activities. Knowing that, try and not access internet via public Wi-Fi whenever possible.

HTTPS certificates and protocols are widely available — and often free of charge — either through content distribution networks like Cloudflare or public service projects like Let’s Encrypt. That availability has spurred greater adoption in recent years. Google’s own HTTPS statistics show that 84 percent of pages loaded by US Chrome users are currently encrypted, compared to just 47 percent in July 2015.