To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), Google will mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure and affect certain unsecured web pages that feature entry fields for sensitive data, like passwords and payment card numbers, according to a post on the Google Security Blog.
Unencrypted HTTP has been considered dangerous particularly for login pages and payment forms, as it could allow a man-in-the-middle attacker to intercept passwords, login session, cookies and credit card data as they travel across the network.
In the following release, Chrome will flag HTTP pages as "Not secure" with a neutral indicator in the address bar of incognito mode, where users may have higher expectations of privacy.
Then, in the future, Chrome will flag all HTTP sites as "Not secure" with the same red triangle indicator the browser currently uses to indicate a broken HTTPS website.
"Chrome currently indicates HTTP connections with a neutral indicator," Emily Schechter wrote in a blog post. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."
This isn't the first time when Google is taking steps to encourage site owners to switch to HTTPS. Two years back, Google also made some changes to its search engine algorithm in an effort to give a ranking boost to the websites that use encrypted HTTPS connections.
Last month, Google also implemented HTTP Strict Transport Security (HSTS) on its main domain (google.com) in an effort to prevent users from navigating to websites using the insecure HTTP.
A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. Google recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time Google released their HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.
Not only Google, but Mozilla has also been encouraging users to adopt HTTPS through its Let's Encrypt project that provides free SSL/TSL certificates for website owners to help them implement HTTPS for their services.