What’s the Meaning of the Google Chrome “Not Secure” Label

Despite Google giving web developers advance notice, I think a lot of people are going to be caught off guard by the upcoming “Not Secure” connection security label that will start showing in the Google Chrome.

As a result, your viewers and users might be confused and start asking questions. This is particularly true for content management sites (CMS) that have a login link.

Let’s take a peek and see how this will play out as Phase 1 will start at the end of January 2017.

Why is Google Doing This?

Contrary to popular belief, Google is not out to get you although it may seem like it at times. This has to do with protecting users and their data. Up until now, Google has been neutral on how they presented information about the security of a web page.

Now, they’re becoming proactive and showing more information about the connection. Granted some folks will say this is another attempt by them to get sites to convert to HTTPS. Overall, I think this is a good move to educate users. I suspect other browsers will follow suit. Besides, using HTTPS does have other benefits, which I’ll get to later.

Where Will My Users See “Not Secure”?

For starters, the following needs to occur:

  1. Your user needs to be using Google Chrome 56 or higher
  2. The page they are viewing has a password or credit card field.
  3. The site is not using HTTPS or the certificate isn’t properly installed

Let’s step back a minute and show the current scenario. For the screen snap below, I’m using Google Chrome 55. You can click the image to see full screen.

normal Google Chrome icon

After this change goes into Google Chrome, the browser bar will show the image below. You can download Google Chrome Beta and check for yourself.

non secure example

Remember, I said “Phase 1”? Well, here’s what Google eventually wants to show according to their blog. Oh!

Google Chrome planned warning

When Will The Warning Start?

This new warning is scheduled to take effect when Google Chrome 56 comes out. The “estimated” release date is set for January 31st. You can check the Google Chrome development schedule to confirm.

What Can I Do?

Apart from informing your employees, you should start converting your site to HTTPS. Based on the complexity of your site and hosting provider, this could range from a very easy process to a nightmare. Most good hosting companies will have some sort of tutorial or guide. If you can’t find one, contact support. Your web host can also tell you about known incompatibilities or additional changes you’ll need.

I can’t emphasize how important it is to do testing. I converted this site two years ago and ran into mixed content warnings, redirect errors and other issues. I also had to make changes to my CloudFlare account. Thankfully, I didn’t have any content in iFrames.

Since then, a number of hosting companies have started to allow “staging sites” where you can clone your existing site in a few steps. You could then install a free certificate like “Let’s Encrypt“. Some hosting companies have this option available from their cPanel. However, you’re still going to have to do testing as there is no skipping that step.

Additional Benefits of HTTPS

At this stage, you might be swearing at Google..again. But, there are benefits to changing to HTTPS. Again, this also depends on your hosting provider, but let’s assume you have a good one.

  1. You can use HTTP/2. This is a newer protocol that positively impacts performance. And page load speed is something Google also considers as a ranking factor.

  2. You can use Service Workers
  3. Your customers are better protected when entering data.
  4. Google is giving a slight ranking factor to HTTPS site. And no, they won’t tell you a percentage.

Oh, you get a different address bar icon, which is how this all started.

Google chrome secure icon