Skip to main content
Most of us are familiar with the green lock icon that appears in the address bar of our browser — the lock indicates that our connection to a website is secure. Over the past few years, browser vendors including Google, Mozilla, Apple and Microsoft have ramped up their efforts around online security. To encourage website owners to serve their sites securely, the vendors are making HTTPS a requirement for modern browser features such as geolocation, taking pictures or recording audio, enabling offline app experiences with service workers, and building progressive web apps. Google in particular is leading the charge in promoting site security. Besides preferring HTTPS-enabled sites in search rankings over non-HTTPS-enabled sites, Google is warning users more clearly about insecure sites in Chrome. Earlier this year Chrome began visibly indicating that a site was "Not secure" when it served login or payment forms over regular HTTP. This was an important step in reminding users that they couldn't trust those insecure pages with sensitive data. Starting with Chrome 62 in October 2017, these notifications will be taken a step further. Now all websites with form fields (not just email, password, or credit card fields, but any input fields) delivered over plain HTTP will trigger a "Not secure" message in the address bar when a user enters information.This warning will appear for every site with even the simplest of forms. For example, search fields are ubiquitous on most institutional and corporate pages, and an insecure form means that a user's search terms could be intercepted and collected by an unknown third-party. In Chrome 62 and beyond, the browser will flag that risk to the user:secure search URLIn addition, users who browse a site in Chrome's Incognito mode will see the warning on all insecure pages regardless of whether they have forms or not. And at some point in the future Chrome will mark all websites served over HTTP as non-secure and label them with a red alert triangle. Businesses should be aware of this upcoming October update and prepare accordingly so that their visitors are protected and not unduly alarmed. If your site doesn't currently have an SSL certificate, now is the time to acquire one and secure your web presence. It's no longer just a matter of protecting obviously private data like credit cards and passwords — in 2017 it is essential to safeguard your users' entire site experience. Delivering your site over HTTPS also positions you to take better advantage of new browser capabilities that will be HTTPS-only. For more information, check out the article on Google's Online Security blog.