Since 10-15-20 years users were trained to check the status "secure" of sites, before doing something , ... if the "secure" label is removed, even if it means the site IS secure, it can cause confusion I think... Lot of people , especially nowadays, don't even pay attention if there is a "s" at the end o the http ... so not seeing the label "secure", might makes them think the site is NOT secure...

The lock will still be there for the foreseeable future, and the "Secure" bit doesn't really add much to that anyway. We're quickly moving towards HTTPS being the new default*, which means you won't even have to check for a lock anymore because everything will be secure unless you're otherwise notified.

* it already sort of is, with 84% of Chrome page requests already happening over HTTPS. [transparencyreport.google.com...]

I can envision all non-secure pages being purged from the index at some point.

I can envision all non-secure pages being purged from the index at some point.

Only if it didn't affect the quality of the index, I think. Or maybe we'll reach the point where all hosting services serve up pages as https: by default, using automatic HTTPS rewrites as needed.

AT which point Google will not index pages that are not certified by a limited number of approved providers - making the net a bit less open.

I think Travis is right about it confusing people. People are very easily confused by security. No average user will fill in a form on a page with a faulty certificate, but they mostly will on an unencrypted page.

there are still major sites (BBC for example) that haven't bothered making the jump to https yet.

instead of making ignorant and irrelevant judgments on site security they should simply state the facts ("Not Encrypted") and leave it at that.

they should simply state the facts ("Not Encrypted") and leave it at that.

Probably too cryptic for most people (pun obviously intended).

But I agree the "Secure" tag can be confusing. Probably one reason they're getting rid of it.

"Not secure", however, still holds true for any HTTP connection.

Well that's just it, the term "secure" is now defined for commonality through user safety. Conversely “not secure” to mean user safety is not implied.

@ChanandlerBong

i think the BBC has been https for a while.

Just tried HTTPS for BBC.com and it redirects to HTTP. Maybe someone should tell them they got it backwards.

Just tried HTTPS for BBC.com and it redirects to HTTP. Maybe someone should tell them they got it backwards.

Maybe they've taken the concept of "openness and transparency" a little too far. :-)

yep, I go to BBC page and it's http, no redirect to https at all. If I call https version of a page, it does stay as https.
so they've done a halfway house sort of thing, maybe they're not worried about PR juice being spread around.

HTTPS to HTTP to HTTP (redirects twice)

HTTP/1.1 301 Moved Permanently
Server: Varnish
Retry-After: 0
Content-Length: 0
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Connection: close
X-Served-By: cache-bos8231-BOS
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526816003.270480,VS0,VE0
Location: https://www.BBC.com/
cache-control: public, max-age=3600

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Location: http://www.bbc.com/
X-Fastly-Cache-Reason: NO-CACHE-CONTROL
Content-Length: 0
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Fastly-Cache-Status: PASS
X-Served-By: cache-dca17729-DCA
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526816003.383083,VS0,VE441

HTTP/1.1 200 OK
Server: Apache
X-Cache-Action: HIT
X-Cache-Age: 36
Content-Type: text/html
Content-Encoding: gzip
Expires: Sun, 20 May 2018 11:32:44 GMT
Content-Language: en
Etag: "a8995f48032e67b6e4a28b7020d24f6a"
X-PAL-Host: pal105.back.live.telhc.local:80
Content-Length: 35655
Accept-Ranges: bytes
Date: Sun, 20 May 2018 11:33:23 GMT
Via: 1.1 varnish
Age: 3
Connection: keep-alive
X-LB-NoCache: true
X-Fastly-Cache-Status: HIT-CLUSTER
Set-Cookie: BBC-UID=21d88b12f76443161ecefe3c62bcccd0cb6c372b628fed6d5d9f558627ff85b10keyplyer%27s%20test; expires=Thu, 19 May 2022 11:33:23 GMT; path=/; domain=.bbc.com
Cache-Control: private, max-age=60
X-Served-By: cache-iad2125-IAD
X-Cache: HIT
X-Cache-Hits: 2, 1
X-Timer: S1526816004.913076,VS0,VE1
Vary: Accept-Encoding

The old way was not that proactive. A RED ALERT is ... and since that will be simply a protocol warning, the web will start to look broken. The boat load of http info sites that do not collect information will be hurt the worst.

Browsers should only warn if such info is asked rather than paint the web red. Just a thought. Meanwhile, https is generally doable and the web is headed there.

The boat load of http info sites that do not collect information will be hurt the worst.

It's not about hurting websites, it's about protecting users.

One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.

source: [developers.google.com...]

explain "intruders", "aggregate browsing" and "behaviors and intentions" and how it is revealed and to who.

How it's revealed? It's all in plain-text, that's the whole point. Anyone with access to the wire can see what you do on the HTTP-Web.

If I visit the BBC, my traffic passes through at least 12 routers. I can't see if anyone snoops on it, but that doesn't mean it's not happening.

explain "intruders", "aggregate browsing" and "behaviors and intentions" and how it is revealed and to who.

an example was given in the following sentence.
do you want an explanation of the example?

Just a FYI - Besides the article, there's also an educational video in the link I posted.

I think https is more secure for the time being