Why Safari Warns You That Some Sites are “Not Secure”

As of March 2019, Safari on macOS and iOS displays a warning reading “Not Secure” in the address bar for all HTTP connections. Last year, Google Chrome and Mozilla Firefox became the first major browsers to display the same warning.

Safari browser Not Secure warning

The “Not Secure” warning appears on all pages in Safari when connecting over HTTP. If the page contains any form fields, the warning turns red once the user interacts with any of the fields (or turns red automatically if the field has autofocus, meaning it’s selected by default on page load).

This warning appears on macOS as of version 10.14.4 and iOS 12.2.

The risks of HTTP
If you are a visitor to a website displaying this warning, you should be aware that HTTP lacks connection security — meaning the data you send and receive with that page is not protected and could be viewed by others or intercepted. Note that this is not an issue with your computer or iPhone/iPad, but with the specific website or webpage you are viewing.

You should not send any sensitive data to a page when you see this warning. Any information you enter into an HTTP page is transmitted over the internet in plain text, which means there is no encryption or other protection of the data. For example, if you enter your password into an HTTP page it is then sent across your network and all the way to the webserver — which involves transmission through many different computers along the way to make it the many miles between your computers — all of which can see your password and potentially steal it.

Instead you want to use HTTPS — note the S at the end which indicates “Secure.” HTTPS includes a security protocol named TLS (for Transport Layer Security, more commonly referred to as SSL, or Secure Sockets Layer, the protocol’s predecessor), which adds the missing security features: encryption and server authentication. These two features work together. Encryption protects your data from being read by anyone but the website you are connecting to. Server authentication ensures that you are not vulnerable to spoofing — a common type of internet attack that allows one computer to impersonate another (similar to someone putting on a fake uniform and impersonating a police officer). Identity is presented in certificates for extra protection, when the Certificate Authority issuing the certificate follows Organizational Validation or Extended Validation (OV or EV).

The validation standards are globally prescribed and audited. When you click on the padlock you can get additional information about OV and EV certificates to ensure the site you are visiting is from the company you intended.

Safari and other web browsers no longer want users connecting via HTTP because of the security risks and have been showing various warnings for a few years now.

Remove the warning — migrate to HTTPS
The only way to remove the “Not Secure” warning in Safari for your website is to make sure your visitors are connecting over HTTPS (this is a change the website owner/administrator has to make, so contact them if a site you regularly use is presenting this warning).

Major web browsers have been steadily working to discourage the use of HTTP by adding negative UI indicators, such as this one, and restricting functionality to HTTP pages. Instead, websites should offer HTTPS, which uses the SSL protocol to provide a secure connection.

If your website already supports HTTPS it is possible that you are not properly enforcing certificate best practices. If you do not yet support HTTPS, the first step is to get a TLS certificate and then install it on your webserver.