With Chrome, Google is on a mission. A mission to make the internet a safer place. Its ultimate goal is to display a warning that HTTP sites (rather than HTTPS) are insecure, but this is a long-term plan and there are many stages to go.
Starting at the beginning of next year in Chrome 56, the plan moves to its next stage. As of January 2017, any HTTP sites that transmit passwords or credit card details will be flagged up as being insecure.
Google is keen to educate users that any information transmitted over an HTTP connection is vulnerable to being intercepted and read by a third party. As time goes on, more obvious and serious-looking warnings will be displayed about HTTP sites, but Google is not putting a time frame on this at the moment.
Talking about the public perception of online security, the company says:
Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.
A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.
Studies show that users do not perceive the lack of a 'secure' icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as 'not secure', given their particularly sensitive nature.