The Protected icon for HTTPS sites will disappear from Chrome, and this is correct.

A few months ago, Chrome developers announced that in July 2018 they would begin to mark all HTTP pages as unsafe . The “Not secure” icon will appear in the address bar next to the URL.

This is an important innovation, because people are taught to avoid sites that have not installed a TLS certificate to encrypt traffic. After all, such sites really endanger users. For example, providers and other attackers may embed advertising, crypto miners and other malicious content into unencrypted traffic. In a survey on Habré, 55% of users agreed that all sites should encrypt traffic over HTTPS.
')
Now it became known about another change, the meaning of which is not immediately obvious. It turns out that with the version of Chrome 69 (September 2018), the “Protected” indicator will disappear on HTTPS protected sites. The question is why?

Here's how the developers explain this in the official blog:

“Users should expect the web to be safe by default , and warn them if a problem occurs. Since soon all HTTP pages will be marked as “unprotected”, we take a step forward and remove the positive security indicators, so that the unmarked state becomes safe by default. ”

If you think about it, this is an impressive paradigm shift. Judge for yourself: earlier HTTP sites were considered normal , and HTTPS sites were considered secure . Now the indicators move up one step. HTTPS sites become common, and there are no secure sites at all, because all normal sites are considered secure by default! If the site is not protected by a TLS certificate, then it is not ordinary - and deserves a separate indication as unprotected!

That is , site protection and traffic encryption are recognized as the norm .

From October 2018 (Chrome 70 version), the browser will begin to more clearly signal to users about unprotected HTTP sites: the gray indicator will change to red if the user tries to enter data on a web page without traffic encryption.



In terms of user perception, this is an important interface change. Studies have shown that users do not perceive the lack of a green icon with a “Protected” lock as a warning. An explicit indication of the danger of the site is more noticeable.

In Russia, there is an additional reason for encryption, because here the “Spring Act” will soon come into force - from October 1, providers will start storing all users' Internet traffic on servers . Under this law, operators and websites are required to provide encryption keys upon request of special services. However, such a system only works if the original site certificates are replaced with national certificates, as in Kazakhstan . But when using a standard TLS certificate from a trusted Certification Authority , such as GlobalSign , it’s virtually impossible to “provide keys” because a new session key is generated based on the server certificate, the client’s public key, and random numbers generated to encrypt the connection.

Today, any site can implement HTTPS without any problems (see the “Full guide to the transition from HTTP to HTTPS” with instructions including Let's Encrypt). Very soon, Chrome and Firefox will begin to mark as “unprotected” sites without HTTPS, so sites without protection run the risk of deteriorating their reputation in the eyes of users. This may adversely affect the traffic of the resource, if it has not already affected, because the lack of a certificate for three years already lowers the sites in the Google search results a little.

---