Why Does Chrome Say A Website Is “Not Secure”?

Chrome warning that website is "not secure"

Uh oh! Bruceb News is “not secure”! Alert readers have probably noticed the “not secure” warning on a few other websites, too. Well, actually more than half of the top one million most popular websites were “not secure” last summer. It’s gotten better since then but in November the list still included ESPN, BBC, MIT, and California’s state government site, according to WhyNoHTTPS.com.

What does it mean?


TL;DR

  •    Don’t type personal data or payment information into a website unless you see the little padlock indicating that a website is secure!

  •   It’s okay – not great but okay – for a website to be “not secure” if you’re just reading things.

  •   The reason brucebnews.com is “not secure” is because Bruce is lazy and has been procrastinating.


What does it mean for a website to be “secure” or “not secure”?

There are two important differences between https:// (“secure”) and http:// (“not secure”).

  •   The web pages sent to you by a secure site – HTTPS:// – are encrypted. Someone spying on you can tell what website you visited but they can’t read what’s on each page, and they can’t read anything you type in, like a password or credit card number. HTTPS makes it harder for criminals to tamper with the pages, such as injecting ads or redirecting users to phishing sites.

  •   A secure site has a security certificate issued to the company that owns the domain name. No one can fool you with a secure website that has “google.com” in the name because Google owns the security certificate for that name.

That sounds pretty dramatic but chill out, Eeeyore. The “Not Secure” warning does not indicate that your computer or the website is affected by malware, and the chances are pretty good that bad guys are not spying on you and rubbing their hands with glee because they learned exactly what article made you bored on Bruceb News. It only serves to alert you that you do not have a secure connection with that page. If you’re just reading info on the site – not logging in, not paying for something – that’s probably just fine. It’s the way the Internet was built and ran for many years.

The Chrome browser has lots of information for you about the security of the page you’re viewing. Click on the padlock by the URL on a secure site and you’ll see something like this.

Chrome security information about website

If you have any questions about the bona fides of the site, you can click on “Certificate” to see if the certificate was issued to the company that matches the website. The certificate for google.com was issued to google.com by Google Internet Authority, which sounds pretty legitimate, right? Legitimate certificates are issued by a relatively small number of companies; the browser knows which ones are authorized.

Chrome security certificate info - example Google.com

If a website is pretending to be someone else, then either it will say “Not secure” or you’ll see this notice before you get to the page. It means there’s something wrong with the security certificate. That’s a bad sign if you’ve clicked on a link in an email message that appeared to be from Microsoft! You should be alarmed and paranoid if you see this warning.

Chrome warning of invalid security certificate

The exception: IT pros run into that message frequently when they connect to the control panels of older local devices on the network – an aging Sonicwall router or the like. It’s harmless in that case. Everyone else should stop when they see the above message and think deeply about their life choices before they proceed.


I guess it’s cool that Chrome warns me about “not secure” sites. Is that new?

For several years Google has been aggressively pushing all websites to be secure by default. Chrome would call out secure sites by highlighting the padlock. Last summer Google took a large step: with Chrome 68 in July 2018, Google added the “Not Secure” warning to Chrome, knowing that it would create the impression that there was something wrong with a “not secure” site. At the same time, Google let everyone know in no uncertain terms that websites without a security certificate would be downgraded in Google search results – the kiss of death for any business that counts on being found in a search.

In the last year, most large businesses have switched over to HTTPS://, if they weren’t there already.

Small businesses have been slower. It’s not expensive to get a security certificate (the certificates can even be free if your site is hosted by a company that honors Let’s Encrypt certificates), but it requires some work to install them correctly and not leave broken links and missing pictures. Small businesses may have to pay their website designer to install the certificate and fix errors that crop up.

By this time, though, nearly a year after Google forced the issue, everyone with a website should have installed a security certificate and made their site secure by default. Anyone with technical skills who runs a popular website that continues to be “not secure” is simply lazy and should be flogged. Wait. Not the flogging part. A finger should be wagged in their direction. Okay, already, I get it! I’ll get security certificates for the vast Bruceb.com website empire soon, I promise!