8

Worth noting that this will be the eventual default behaviour: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

46Give the continued pervasiveness of non-HTTPS sites, don’t you fear that the high false-positive rate will numb your non-tech-y mother, training her to ignore the warning sign? Imagine every intersection had “STOP” signs. People would learn quickly to ignore them (this is altogether non-hypothetical). – Konrad Rudolph – 2018-07-25T15:36:56.300

3It would be nice if it could be yellow instead of red. While I am of the opinion that "if it's on the wire it should be encrypted", a non-https site isn't automatically insecure, it's just not encrypted. If you're doing nothing but looking at stuff then you're not risking anything. – Petro – 2018-07-25T15:41:31.123

4@KonradRudolph I told her literally, don't buy anything on the "red" shops and don't enter any sensitive information there, otherwise their Ok for weather forecasting and such normal things. – LinuxSecurityFreak – 2018-07-25T15:47:53.183

4@Petro: If that were true, every major browser wouldn't be moving towards this model! You're still vulnerable to injection attacks from your gateway or ISP over http, never mind other users of the same network. ISP-level injection in particular happens a lot on some networks. – Phoshi – 2018-07-26T12:47:50.093

1@KonradRudolph: Not only that. It also communicates that other sites are secure when in fact they are not (all that's there is a certificate which you can buy for 2-3 currency, or meanwhile get for 100% free), and web browsers, this one included, do nearly everything to promote a maximally insecure web. Before worrying that the NSA might track what mostly uninteresting stuff you read on SO or on Facebook, one should worry why every darn website must run a dozen scripts in your browser, and why browsers need to allow scripts to do things that actually nobody wants them to be able to do. – Damon – 2018-07-26T13:05:50.797

@Petro Your point about being "on wire" is especially on point since using http to anything that resolves to the local host (e.g. 127.0.0.1) is by definition secure (*), since it's not going over the wire. (*) with regards to network transport, at least – Michael – 2018-07-26T17:13:58.997

While we're giving this man advice on how to educate his mother, I would say it's more useful to have an alert box when you actually submit data to a website: "Please note, this website is insecure, be careful not to share any personal information like your SCN or CC details from here." Why even bother caring if you're not submitting any data. – Coded Monkey – 2018-07-27T07:49:06.273

2@CodedMonkey Because the page viewed may not be the one sent by the server. Content may have been changed, or malicious content may have been added. Chrome and Firefox are correct in their assertion that HTTP only is insecure, although the converse is of course not necessarily true. – pwdst – 2018-07-27T14:25:15.887