As the Web moves toward HTTPS by default, Chrome will remove “secure” indicator

Found on Ars Technica on Thursday, 17 May 2018

Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as "not secure," starting in July. Today, the company described the next change it will make to its browser: in September, Google will stop marking HTTPS sites as secure.

Most HTTP sites will get a regular gray "Not secure" label in their address bar. If the page has user input, however, that gray label will become red, indicating the particular risk the page represents: Web forms served up over HTTP could send their contents anywhere, making them risky places to type passwords or credit card numbers.

Actually, even with SSL/TLS a web form can send the content anywhere. It looks like some people do not have much of a clue. If your form sends the data to a third party server via https, it's still secure. Having a certificate does not automagically remove any risks; unless every single certificate would have go through an EV process which would drastically reduce the shady systems who get their trusted DV certificates by free services like Let's Encrypt.

Browse all articles« Previous « » Next »