In the future, Chrome will flag HTTP sites as insecure

There has been a proposal for a long time in Chrome to flag HTTP as insecure. The motivation for this is: all sites over HTTP are entirely lacking encryption, so why should they appear “safe” while sites with weak encryption trigger warnings? The sensible thing to do is to have an even stronger warning for these sites.

Chrome has for a long time supported the option mark-non-secure-as — which can be accessed by going to chrome://flags/#mark-non-secure-as and selecting “Mark non-secure origins as non-secure” (fitting name for an option) in the dropdown. After enabled, this is what you’ll see in the address bar upon visiting an HTTP site:

Shows the Chrome Canary address bar, visiting an HTTP site. The bar shows an insecure message, screenshot.
How visiting an HTTP site appears in Chrome 55 (scheduled to be released in December). This will certainly scare users away from your site.

There is no decision on when this change will become the default and the web is not ready for this just yet. An interesting way to go would be to incrementally make the icon color more red over a period of years. This would slowly motivate people to switch to HTTPS.

To get with the times, it might be a good idea to set up Let’s Encrypt. You certainly don’t want to trigger the warning above, once the time for it comes.