​Chrome to warn when insecure websites expose your passwords

Google believes unencrypted websites are fundamentally flawed and should be banished. It's enlisted its own web browser to spread the message.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors | Semiconductors | Web browsers | Quantum computing | Supercomputers | AI | 3D printing | Drones | Computer science | Physics | Programming | Materials science | USB | UWB | Android | Digital photography | Science Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
2 min read
​Chrome eventually will warn that any unencrypted website is insecure.

Chrome eventually will warn that any unencrypted website is insecure.


Google's Chrome browser soon will begin warning you when websites aren't securing your passwords or credit card numbers properly, an early step in the company's plan to fundamentally change how we view encryption on the web.

Encryption scrambles data so eavesdroppers can't understand information being sent to or from your web browser. It also keeps people from modifying websites -- for example, by inserting their own advertisements. And it makes life harder for police investigators and spies, which is why law enforcement and surveillance authorities have been trying to find ways around encryption.

Google wants encrypted websites to become the norm to improve privacy and security, and it's using its browser to push that agenda to hundreds of millions of people who use it. Starting with Chrome 56, due in January 2017, the browser will present a "not secure" alert on websites that handle passwords and credit card numbers insecurely.

It's a small, not terribly controversial change. Website encryption was invented more than two decades ago precisely so this kind of information could be secured to enable e-commerce. But this is just a first step in Google's plan to get us all to think of unencrypted websites as flawed, not ordinary.

The FBI may not like it, but Google's pro-encryption stance is increasingly common. As we live more and more of our lives online, building better privacy into the global internet seems sensible.

To fetch website content from where it's stored on a web server, your browser uses the foundational technology called HTTP, or Hypertext Transfer Protocol. For encrypted website communications, though, browsers use a secure version called HTTPS. To encourage website developers to move from HTTP to HTTPS, Google gradually will spread the Chrome "not secure" warning to any website delivered over HTTP, not just those with passwords and credit card numbers.

"Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections," said Emily Schechter, a member of the Chrome security team, in a blog post Thursday. "When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."