Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.
About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they're on is not secure, and at the same time, provide motivation to that site's owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we begin showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:
- 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.
- Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago
- 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago
We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!
Ongoing efforts to bring encryption to everyone
To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017 and has committed to continue that support next year.
Google also recently announced managed SSL for Google App Engine and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.
HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.