Seeing a “Not Secure” Warning in Chrome? Here’s Why and What to Do about It

The latest version of the Google Chrome browser, version 68, introduced a new “Not Secure” warning in the address bar that appears anytime you are visiting an insecure web page.

The warning refers to the lack of security for the connection to that page. It’s alerting you that information sent and received with that page is unprotected and it could potentially be stolen, read, or modified by attackers, hackers, and entities with access to internet infrastructure, such as Internet Service Providers (ISPs) and governments.

This “Not Secure” warning appears on all pages using the HTTP protocol, which is incapable of providing a secure connection. Historically, this has been the primary protocol used for internet communication.

Over the last few years, websites have been transitioning to HTTPS—note the S appended to the end—which does provide security and is used by millions of websites including Google.com, Facebook.com, and Amazon.com, to protect your information while browsing, logging in, and making purchases.

The “Not Secure” warning does not indicate that your computer or the site you are visiting is affected by malware. It only serves to alert you that you do not have a secure connection with that page. Note that some websites may only support secure HTTPS connections on some pages, but not all; in these cases you may see the “Not Secure” warning on only the insecure pages.

If you’re a visitor or an owner/operator of a website using HTTP and seeing this warning, here’s what you can do.

For Website Owners/Administrators

The “Not Secure” warning is being displayed on any page served over HTTP, which is an insecure protocol. If you are seeing this warning on a site you own or operate, you should resolve it by enabling the HTTPS protocol for your site

HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. Using HTTPS requires that you purchase an SSL certificate(s), and then you can install that certificate and enable the HTTPS protocol on your web server.

If you are the technical administrator or developer for your site, you should begin by assessing if you currently have any support for HTTPS. Some sites have partial support, meaning they have deployed HTTPS to some parts of the site, or have not chosen to serve the site via HTTPS by default. If either is the case, look into what steps need to be taken to deploy HTTPS across your entire site and by default. Our guide to configuring HTTPS Everywhere will help you get started.

If you do not have HTTPS deployed at all, start by using our Certificate Wizard to help you figure out which SSL certificate you need. Your need will vary depending on how many domain names you operate and if you want your business to be validated for additional user trust. Then review our guide to HTTPS Everywhere to understand the steps you need to take to support HTTPS by default.

All major web browsers—including Google Chrome, Mozilla Firefox, and Apple Safari—are moving to a user interface that will warn users about insecure pages, so it is important to support HTTPS both for the security benefits and for the optimal user experience. In addition, many new web technologies require HTTPS, and some of these can improve performance on your website.

For Website Visitors

The reason you are seeing the “Not Secure” warning is because the web page or website you are visiting is not providing a secure connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure).

Any page providing an HTTP connection will cause the “Not Secure” warning. You should avoid conducting any sensitive transactions on these pages—such as logging in, providing personal information, or payment information—browsing insecure sites could put you at risk if you are viewing information that is dangerous or not condoned in your country.

As a visitor, you cannot fix the cause of this warning. The only way to solve the issue is for the website operator to obtain an SSL certificate and enable HTTPS on their site. This will allow your browser to connect securely with the HTTPS protocol, which it will do automatically once the website is properly configured.

If a site you frequently use is displaying the “Not Secure” warning, you should contact them and ask them to start supporting HTTPS. You can also try manually replacing HTTP with HTTPS in the URL, as some sites may have partial support for HTTPS but don’t offer it by default.

Note that even with basic browsing over HTTP—such as looking at recipes or reading news—what you are looking at can be monitored, modified, and recorded by entities, such as your ISP or government. This effectively means you do not have any privacy when browsing such pages. On public Wi-Fi networks, like at a coffee shop or airport, there is an additional risk from ‘local attackers’—other computers on that network—which are able to view and monitor the pages you are looking at, the information you are sending them, and what you are searching for.

Posted in Best Practices, Browser, HTTPS