Chrome removes secure notification

6 June 2018

From early 2017 Chrome shows a green ‘Secure’ notification for all websites that have an HTTPS connection. They recently announced that this notification will not be shown anymore as of September this year. By then, only EV certificates will show a positive indicator. Research from the Dutch news organisation NOS shows that the current notifications cause confusion and that malicious websites benifit from them.

Towards HTTPS by default

In her pursuit for a safer internet, Google is altering the display of websites with and without an SSL certificate for quite some time now. An unsecured website shows a warning, a secured website currently shows a positive notification. This is a step further than other browsers go, who just show a padlock and https:// for every SSL certificate, plus a company name in green for EV SSL certificates.

Chrome shows unsafe websites also as safe

An unintended side-effect of the extra ‘secure’ notification that was introduced last year is the trusted appearance it gives to phishing websites. By now, no distinction is made between SSL certificates with or without company data. This results in the browser labeling every website with SSL as ‘Secure’, which includes phishing websites that have bad intentions. A Domain Validated certificate is easy to obtain because it knows few checks. This results in the misconception that HTTPS equals a trustworthy website, while a standard HTTPS connection only shows the connection to the website is secured. The change announced for September will solve this, luckily.

Ready for the next step

All the attention spent on SSL gives the use of it an enormous boost.  By February this year:

• More than 68% of all Chrome traffic on Android and Windows was secured;
• More than 78% of the Chrome traffic on Chrome OS and Mac was secured;
• And 81 out of 100 top sites use HTTPS by default.

Google says it’s time for a turning point, in which ‘secure’ is the default setting and there will be only be warnings if it’s not secure. From July this year they will start showing a Not Secure warning for every unsecured website. From September on, the ‘Secure’ notification won’t be displayed anymore voor regular HTTPS. The idea is to eventually remove the padlock and https:// completely. Only an EV certificate will show a positive notification. The ‘Not Secure’ warning will also become more visible from October this year.

What do this changes mean for you?

If the changes announced get executed, the following situation will appear:

In the new situation every website needs an SSL certificate to prevent browser warnings, for which the type of certificate doesn’t matter. However, certificates with Domain - and Organisation validation will lose their visibility in the Chrome browser. Do you have a corporate of commercial website? You can distinguish yourself and show extra trust with an EV certificate with green address bar.

Overview of HTTPS changes in Chrome

All changes Chrome recently made and has announced for the near future in terms of the display of SSL.