In iOS 12.2 and macOS 10.14.4, you may notice a new warning in the URL bar when browsing the web in Safari. It says the page you are visiting is “Not Secure”. But what does this mean? Are you less secure than you were before?
What does Not Secure mean in Safari?
iPhone and iPads running iOS 12.2 or later (or Macs with Safari 12.1 or later) will now say if the current Safari page is using secure HTTPS connection to the server, or not.
HTTPS means that all communication over the Internet for that page is encrypted and prevents any unscrupulous third-party from seeing or mutating the content of the page.
The “Not Secure” message will appear when the current web page is not HTTPS. You could also verify this by tapping in the address field to reveal the full URL.
You are no more secure or less secure than you were with any previous Apple software update, but the idea is users can be more aware about the security privileges of the websites they are visiting.
A few years ago, websites would only use HTTPS for secure pages like banking, or the checkout form on a store website where you are entering sensitive credit card credentials.
As privacy and security practices have developed, it is now expected that all pages on the Internet should use HTTPS — even if they don’t collect sensitive information like account logins, passwords, or payment details.
This is because HTTPS removes the surface area of exploits as all loaded resources on the page must be appropriately protected. HTTPS also prevents a criminal from snooping on your connection at any point in the chain, like a compromised ISP or public WiFi hotspot.
However, older sites, unmaintained sites, or sites run by smaller companies, may not have made the switch. This is when you will see the Not Secure text in the main Safari toolbar.
If you are on a page that is Not Secure and doing banking or entering sensitive information like payment details, then you should probably stop what you are doing and close the page. It is most likely some kind of phishing attack.
If you are browsing a Not Secure page that does not require sensitive information, the risk is substantially lower as there is less important information to steal. Being Not Secure means that third-parties can potentially snoop on your internet traffic and see what you are doing, and potentially a malicious script could be injected into the page, but if you are just browsing a mid-2000s blog then it isn’t going to matter too much.
You are certainly no less secure than you were last week, last month or last year. It’s just now Apple is ensuring customers are more aware about the encryption status of the current tab. Other browser vendors have already rolled out similar warning messages in their interfaces.
In many ways, these messages put pressure on the laggards to update and adopt HTTPS more quickly. Google search rankings has even started deprioritizing HTTP-only pages, and that penalty alone is a big incentive for sites to jump on the HTTPS train.
Effectively, over time, you will see the Not Secure text less and less. Don’t immediately panic when you do come across it though. Be cautious. Do not enter sensitive information into a website that is not using HTTPS.