Google is preparing to make a significant change to how users are informed of security online. Beginning in January 2017, Chrome will subtly mark password and payment pages as non-secure if they use HTTP instead of HTTPS. This is just the first step toward marking all HTTP pages as non-secure with a more visible notice. 

The image above shows what you can expect in the coming update, which will be part of Chrome 56. Instead of simply showing the default icon, you will see the "not secure" text on payment/password pages that only use HTTP. A page that's served in HTTP makes it easier for an attacker on the same network to modify content before it reaches you; a so-called man-in-the-middle attack. Google is starting with just password and payment pages because of their particularly sensitive nature.


The next step (at an unknown future date) will be to mark all HTTP pages as non-secure in Incognito mode. Eventually, Google wants to show the above warning on all HTTP pages in Chrome. The much more explicit warning should get everyone's attention and encourage site operators to use HTTPS. According to Google, the use of HTTPS has increased dramatically in recent years. More than half of all page loads in Chrome are now HTTPS. Google even has documentation to help websites implement HTTPS.