Non-secure by default – Initial thoughts

After seeing this tweet, I decided to flip my chrome://flags flag for Mark non-secure origins as non-secure in canary. I did some quick testing and found out a couple of things:

  1. As of right now, it’s only on pages that have a password field.  For WordPress sites, this means your homepage is likely fine, but wp-login.php will actively be marked as non-secure.
  2. If a Password field is added to a page, it will be changed to non-secure. nyt-not-secure-gif
  3. It seems to be actively looking at the DOM, and not storing a record of the page. For example, refreshing The New York Times homepage goes back to the standard display until I click Log In again.

Overall, it’s not incredibly noticeable right now. I look forward to seeing how this feature evolves. I also want to test with some screen readers to see if there is an announcement that you are on a non-secure page when the address bar changes.

This feature is scheduled to launch in January 2017 with the release of Chrome 56. HTTPS is required in order to take advantage of HTTP/2 and thus have the fastest modern website possible. Now is a great time to check out Let’s Encrypt where you can get a free SSL certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *