Last updated: October 2020
Version 68 of the Google Chrome browser introduced a new “Not Secure” warning in the address bar that appears any time you are visiting an insecure web page. The latest version of Chrome also has a popup when you click the message that explains, “your connection to this site is not secure” and a warning about not entering any sensitive information on the site.
The “Not Secure” warning means there is a lack of security for the connection to that page. It’s alerting you that information sent and received with that page is unprotected and it could potentially be stolen, read or modified by attackers, hackers and entities with access to internet infrastructure (like Internet Service Providers (ISPs) and governments). The “Not Secure” warning does not mean that your computer or the site you are visiting is affected by malware. It only serves to alert you that you do not have a secure connection with that page.
Website owners have a responsibility to secure their site, and although site visitors cannot change a “Not Secure” warning, they can request that site owners implement security measures. This article will cover what is behind the “Not Secure” warning and what site owners and visitors can do to fix it.
First, note that the warning appears differently in different browsers. Here’s what the “Not Secure” sign looks like in Chrome, Safari and Firefox.
“Not Secure” warning in Chrome:
“Not Secure” warning in Safari:
“Not Secure” warning in Firefox:
HTTP → “Not Secure,” HTTPS → “Secure”
Unsecure websites display the “Not Secure” warning which appears on all pages using the HTTP protocol, because it is incapable of providing a secure connection. Historically, this had been the primary protocol used for internet communication.
Over the last several years, websites have been transitioning to HTTPS — the S stands for “secure” — which does provide encryption (and authentication) and is used by millions of websites including Google, Facebook and Amazon, to protect your information while browsing, logging in and making purchases.
Note that some websites may only support secure HTTPS connections on some pages, but not all; in these cases, you may see the “Not Secure” warning on only the insecure pages.
If you’re a visitor or an owner/operator of a website using HTTP and seeing this warning, here’s what you can do.
For website owners/administrators
The “Not Secure” warning is being displayed on any page served over HTTP, which is an insecure protocol. If you are seeing this warning on a site you own or operate, you should resolve it by enabling the HTTPS protocol for your site.
HTTPS uses the TLS/SSL protocol to provide a secure connection, which is both encrypted and authenticated. Using HTTPS requires that you obtain a TLS/SSL certificate(s), and then you can install that certificate and enable the HTTPS protocol on your web server.
If you are the technical administrator or developer for your site, you should begin by assessing if you currently have any support for HTTPS. Some sites have partial support, meaning they have deployed HTTPS to some parts of the site, or have not chosen to serve the site via HTTPS by default. If either is the case, look into what steps need to be taken to deploy HTTPS across your entire site and by default. Our guide to configuring HTTPS Everywhere will help you get started.
If you do not have HTTPS deployed at all, start by using our Certificate Wizard to help you figure out which TLS certificate you need. Your needs will vary depending on how many domain names you operate and if you want your business to be validated for additional user trust. Then review our guide to HTTPS Everywhere to understand the steps you need to take to support HTTPS by default.
All major web browsers — including Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari — have a user interface that will warn users about insecure pages, so it is important to support HTTPS both for the security benefits and for the optimal user experience. In addition, many new web technologies require HTTPS, and some of these can improve performance on your website.
For website visitors
The reason you are seeing the “Not Secure” warning is because the web page or website you are visiting is not providing an encrypted connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure).
Any page providing an HTTP connection will cause the “Not Secure” warning. You should avoid conducting any sensitive transactions on these pages, including logging in or providing personal or payment information. Browsing insecure sites could also put you at risk if you are viewing information that is dangerous or not condoned in your country.
As a visitor, you cannot fix the cause of this warning. The only way to solve the issue is for the website operator to obtain a TLS certificate and enable HTTPS on their site. This will allow your browser to connect securely with the HTTPS protocol, which it will do automatically once the website is properly configured.
If a site you frequently use is displaying the “Not Secure” warning, you should contact them and ask them to start supporting HTTPS. You can also try manually replacing HTTP with HTTPS in the URL, as some sites may have partial support for HTTPS but don’t offer it by default.
Note that even with basic browsing over HTTP — such as looking at recipes or reading news — what you are looking at can be monitored, modified and recorded by entities, such as your ISP or government. This effectively means you do not have any privacy when browsing such pages. On public Wi-Fi networks, like at a coffee shop or airport, there is an additional risk from local attackers — other computers on that network — which are able to view and monitor the pages you are looking at, the information you are sending them and what you are searching for.