It’s been a lengthy process. Back in 2015, Google announced that plain HTTP URLs would be down ranked in search results to favour more secure sites. And last year they started to label sites that took payment information or log in credentials without the HTTPS as ‘not secure’, as a warning to users.
Named and shamed
In July 2018 Google are finally releasing an update of Chrome where all HTTP sites will be named and shamed. So rather than wear the badge of shame, it’s now in the hands of the website owner to make their site secure. Or face the wrath of Google – though really shouldn’t these sites be temporarily banned until they adopted HTTPS, if they were taking security seriously?
Google said “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default.”
Not all on board
More than 68% of Chrome traffic on Android and Windows is currently protected, and over 78% is protected on Chrome OS and Mac. Out of the top 100 sites on the internet, 81 are encrypted and using HTTPS. Surprisingly, some big sites such as the BBC apply it inconsistently. They use HTTPS for the homepages, but drop back to HTTP for content pages. Not the best practice.
Look for the padlock sign
In case you didn’t know why HTTPS is so important, it protects the channel between your browser and the website you’re visiting, making sure that no one in the middle can spy on what you’re doing. It’s super important for any sites that take payments or include sensitive information. Always look out for the little padlock at the top of your browser.
As Google offer a free to use security audit tool called LightHouse, developers can work out which website resources still load using insecure HTTP. Which is hella useful if you find yourself in a BBC situation.