The Chrome security team plans to phase out non-secure HTTP to enhance user security and privacy by marking it as non-secure and eventually restricting new features to secure websites only. They encourage all website operators to transition to HTTPS by the end of 2015. This initiative aims to ensure that all browsing activities are treated as private and sensitive.

1. Delivering the news
over HTTPS

2. Paul Schreiber@paulschreiber

7. HTTP1991–2015

8. HTTP1991–2015

10. Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
display non-secure origins as affirmatively
non-secure. We intend to devise and begin
deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display
to users that HTTP provides no data security.

11. Marking HTTP As Non-Secure
We, the Chrome Security Team, propose that user
agents (UAs) gradually change their UX to
display non-secure origins as affirmatively
non-secure. We intend to devise and begin
deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display
to users that HTTP provides no data security.

13. Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.

14. Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.

15. Deprecating Non-Secure HTTP
Today we are announcing our intent to phase out
non-secure HTTP.
There are two broad elements of this plan:
1. Setting a date after which all new features will be
available only to secure websites
2. Gradually phasing out access to browser
features for non-secure websites, especially
features that pose risks to users’ security and
privacy.

17. The HTTPS-Only Standard
All browsing activity should be considered
private and sensitive.
—https.cio.gov

19. A Call to Action
If you run a news site, or any site at all, we’d like
to issue a friendly challenge to you. Make a
commitment to have your site fully on HTTPS by
the end of 2015 and pledge your support with
the hashtag #https2015.
—Eitan Konigsburg, Rajiv Pant and Elena Kvochko
“Embracing HTTPS”
November 13, 2014

23. HTTP

24. HTTPS

28. HTTPS

32. example.com
single

33. example.com
greeneggsham.info
wordpressfan.biz
SAN

34. example.com
beta.example.com
shoebox.example.com
wildcard

35. SGC

36. domain
validation

37. organization
validation

38. extended
validation

39. extended
validation

53. Selected DV Certificates
Comodo PositiveSSL
Comodo SSL
Thawte SSL123
0 32 64 96 128 160
149
99
49

54. PositiveSSL DV Certificates
SSLs.com
SSLMate
Comodo
0 32 64 96 128 160
49
15.95
8.95

55. Selected Certificates
Let’s Encrypt
PositiveSSL (SSLs.com)
GeoTrust QuickSSL Premium
Thawte SSL123
GeoTrust True BusinessID
Symantec Secure Site
Symantec Secure Site Pro EV
0 300 600 900 1200 1500
1400
399
199
149
99.98
8.95
0

58. $ sslmate mkconfig

59. https://mozilla.github.io/
server-side-tls/
ssl-config-generator/

60. https://github.com/
tollmanz/lets-encrypt-wp

61. $ wp cert new

63. HTTPS enabled

64. HTTPS enabled
HTTPS default

65. HTTPS enabled
HTTPS default
HSTS

66. HTTPS enabled
HTTPS default
HSTS
HSTS preload

67. SNI

68. SHA1vs
SHA2

75. content

76. content
😕

77. comments

78. ads

79. social

80. analytics

81. CDNs

82. fonts

89. 2008 HTTPS is slow

90. 2008 HTTPS is slow
2015 HTTPS is fast

91. HTTP 2.0

92. HTTPS

93. 1.88X
per http2.loadimpact.com

95. mixedcontent

96. mixedcontent
$ mixed-content-scan

97. mixedcontent
Content-Security-Policy:
upgrade-insecure-requests

98. mixedcontent Content-Security-Policy-
Report-Only: default-src
https: data: 'self'
'unsafe-inline' 'unsafe-
eval'; report-uri:
https://myserver.com/log-
tool/

99. NoHTTPS?
ask
nicely.

100. NoHTTPS?
SoundCite
placehold.it

101. mixedcontent
Akamai
http://hostname.com →
https://a248.e.akamai.net/f/
12/621/60d/hostname.com

102. <script src="//google.com/…
<script src="https://googl…
mixedcontent

103. <script src="//google.com/…
<script src="https://googl…
mixedcontent

104. mixedcontent

105. Many graphics from The Noun Project
Tombstone by Jakob Wells. Congress by Martha Ormiston.
Shield by Wayne Thayer. Snail by aLf. Server by Yazmin
Alanis. SEO by Azis. Money by Nick Levesque. Warning by
Icomatic. Shopping cart by Patrizia Daidone. Lock with
keyhole by Brennan Novak. Scribble by Michael Chanover.
Calendar by Mani Amini. Error by Anas Ramadan. Network by
Stephen Boak. Hat based on work by Blake Kimmel.