This is coming to the Chrome browser, part of their https-only strategy.: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
I think this measure is grossly misleading. It is also only communicating part of the story.
There are http only sites that are perfectly safe (without the use of java and javascript, insecure forms etc.).
There are https websites that are inheritly unsafe and insecure, where only the connection to the server is coming with the so-called green padlock.
With this new policy Google does not change the situation pro-actively, they do not educate those that put websites up to do this in a more secure way and they do not educate the users of their browser how to protect against the threat that visiting websites form (any website, secure http and insecure https). They leave us in the dark.
Use extensions like Webpage Behavior Report Browser JS Guard, KB SSL Enforcer and Safer Chrome Security Report to see where things on websites still go wrong. See with You Won’t Be Tracked now where NSA may still be snooping on https-only sites. Google here will continue the status-quo that suits them best.

The average end-user is not able to protect themselves with NoScript/uMatrix and a decent ad-blocker like uBlock Origin
against threats coming from https-only websites.
Whenever we had a situation where Google Safebrowsing could protect us against all sites with issues and all potentially malicious websites, I would say. “Hey, that is a welcome initiative!”.

Now it is just a measure to show they have acted, but also being able to continue their insecure practices unhindered. Will it stop any cybercrime, click-fraud, black hat SEO, malcode. Not fully and not even partly. Will it bring in less snooping or make it harder for NSA and global commerce to track our every profile, know about all ye watch and click. No, it won’t. It is another stopgap.

See for yourself, why then visit HTTPS-Only Atlas or look through some of the websites I have been analyzing for the virus and worms section of these forums.

What should be done. Educate webmasters, hosting and provider staff where they could offer better pro-active security, where they could retire insecure and left code, where they could configure their webservers better, implement security headers, where they should take insecure sites down, sinkhole to study the ways of the malversant etc.

Educate end-users and learn them to use a browser in a better way to be able to protect themselves and steer clear of websites that may endanger their computers or peripherals. Educate these average users how to handle script and adblocking and how to acquire better browing practices.

With Google it is that you

should beware of the geese, when the fox preaches…

because it is the way they make money that leaves you in the dark and for some of the things they do they cannot even reveal it because they are under gag order from (the) government(s). When a certain government will turn dark we all may become endangered from some of our online (social) activities, https-only then won’t help us there one byte.…

polonus

Oh and one other aspect of it that is often forgotten to take into evaluation.
The additional costs involved. It costs money you have to spend on https certification etc.
and the connections cost you more weight (just current on the mains).
Where http sites are perfectly safe, it will cost you more to bring in https.
And not all content is worth the money to secure it.

polonus

@Polonus Do they say how they’ll do this, like will they give a notification before connecting to the http site or will it be something that shows in the Navigation bar?

Hi Coolmario,

When this will beintroduced the padlock will be grey with a red cross-out.
Also with indexing Google will favor https websites over all http websites,
so these will come up first in the search results.
So that everybody will adopt their websites according to the Google guidelines.
Google wants to optimize protocols like Google likes it best (think of SPDY).

polonus

Oh, and there is another bad side to all of this. When Google will make this obligatory and Firefox will follow this initiative as is to be expected, then additional malware via the main domain secured with SSL will also be more secure, so we cannot even see where that data traffic is going to. So do we like to go “hardening” malware?
An initiative for hackers to now start to hack and inject secured domains. A bit more tricky, but there are various ways to do this via shared hosting, some easy ways for Windows/IIS, etc.
Info credits for the above info goes to Wim ten Brink.
So https does not cure holed and malicious and suspicious websites. It only secures against other threats, but against unique IDS tracking it is no cure, as this has not been regulated via a protocol so far. Good for the “official” trackers.

This will mean more security through obscurity, and don’t we have more than enough of that already.

polonus