Announcements & Articles

february 10, 2018

Google Chrome Will Mark HTTP Sites ‘Not Secure’ from July 2018 with the Release of Chrome 68

  • Google Chrome will start labelling all Non HTTP sites as "Not Secure"
  • The change will come with the Chrome 68 release in July 2018
  • Google’s Lighthouse tool, an open source app, helps developers run audits on web pages

For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

As a part of this plan Google first rolled out with Chrome 58 when Google marked all HTTP pages as “Not Secure” if the web pages having password or payment credit card fields and the second stage with Chrome 62 version when Google marked all HTTP website pages opened in a private browsing windows as “Not Secure” and beginning in July 2018 with Chrome 68 release will mark all HTTP sites as “not secure” is the final stage.

In a recent announcement, Google has confirmed that when users visit every HTTP websites on Chrome they will be flagged as "Not Secure" from July 2018 with the release of Chrome 68.

Understand the common signs

Developers have clearly heard the call, according to Google, the results of the efforts have been:

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

So it’s clear that HTTPS is the wave of the future when it comes to internet security.

What is Certificate Transparency?

Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security.

What Is Certificate Transparency (CT)?

As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details.

In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information.  The information is publicly audible.  Once the CT logging is enabled, that information will be public and can not be deleted from the log.  The following information appears in the CT log:

  • Common Name
  • Subject alternative names
  • Organization name
  • CA (issuer) name
  • Serial number
  • Validity period
  • Extensions
  • Certificate chain

*Note: that much of this information is already publicly available for external sites.

The Security Triad:

If you haven’t noticed over the years all client web browsers have been implementing various security notifications regarding the safety of websites. Browser have become an Auditor of website security  and show notifications to clients when web-surfing.

These notifications will typically show green bars or  padlocks if everything is secure and safe.  Yellow exclamation marks to make client awareness that the website is not as secure as it can be. Lastly red strikes if the browser deems something that is considered unsafe for users. The notifications will vary from browser to browser, but in the end these are all just disclaimers to inform web visitors on the safety of the website. Anything can contribute to these browser notifications including outdated server software configurations, Mixed or Insecure Content, or the certificate running on the website.

Now with Certificate Transparency there is a Web Security Triad. Security is not just limited to the Certificate Authority (Monitor) and Client browser (Auditor) like it used to be. Here’s what’s going on now.

  • CT is a middle logging system that holds a time-stamp of logs of the certificates that have been issued by the various CA’s.
  • The CA informs the Log Server of all certificates that get issued.
  • The CA Monitor and Browser Auditor work in conjunction with the CT Log Server to Monitor, and Audit logs for suspicious certs, and verify that all the certs issued are visible for the public community.
  • The Client browser Auditor verifies that the logs are behaving properly and informs  clients of anything suspicious that has happened in regards to certificate security.

CT is something that happens behind the scenes and is pretty much unnoticeable to browser clients navigating the web, but with its implementation there is a faster response and a extra tier to client safety with navigating the web.

For more information on Certificate Transparency feel free to visit

USA Office
6735 Salt Cedar Way,
Building 1, Suite 379,  Frisco,
707 Alexander Rd,
New Jersey 08540

© 2021 Acmetek All Right Reserved. Legal | Terms of Use | Privacy Policy

apac Office
Ace Krishna Prime,
304, Road No.1,
Lakshmi Nagar Colony,
Kothapet, Hyderabad-500035,
INC 5000
Newsletter sign up
Signup to receive cybersecurity updates