Why Does Safari Say “Not Secure” for Some Webpages on iPhone, iPad, or Mac?

Mar 29, 2019 - 9 Comments

Not Secure Safari message

If you’re a Safari user who recently updated iOS or MacOS, you may occasionally run into a “Not Secure” message near the top of the screen when viewing some websites or while browsing the web.

That ‘Not Secure’ text is simply a notification from Safari that the webpage or website is using HTTP, rather than HTTPS. This is also reflected in the URL prefix of a website, for example https://osxdaily.com vs http://osxdaily.com

The “Not Secure” message is not an indication of any change in device security. In other words, the device and website is no more or no less secure than it was before updating the web browser and seeing the “Not Secure” message. By seeing the ‘Not Secure” Safari message on an iPhone, iPad, or Mac you are simply being informed by Safari that the website or webpage being visited is using HTTP rather than HTTPS, or perhaps that HTTPS is misconfigured at some technical level.

HTTP stands for HyperText Transfer Protocol and has been the standard web protocol since the beginning of the web. By default, HTTP does not encrypt communication to and from the website. You can learn more about HTTP on Wikipedia if interested.

HTTPS stands for HyperText Transfer Protocol Secure, and until recently was mostly reserved for websites where encryption matters, like with an online banking website, or anything where submitting sensitive data to and from a web site should be encrypted. When a website is using HTTPS properly it means the communication to and from the website is encrypted. You can learn more about HTTPS on Wikipedia if you’re interested.

Because both Safari and Chrome now use the “Not Secure” text in the URL bar of HTTP pages, it’s likely that more and more webpages will start moving to HTTPS simply to avoid any confusion for site visitors. Moving to HTTPS from HTTP is a technical process, so while many websites will have moved to HTTPS already others have not yet done so and remain on HTTP.

It is worth pointing out that if you see a “Not Secure” message on an online banking website or a website where you are want to transmit sensitive data like a credit card number or social security number, than you should probably close that website. However, if you see the “Not Secure” text on a website where you are not inputting or transmitting any sensitive data, like a news website, information site, blog, or personal site, it likely doesn’t matter much as long as there are no logins and no transfer of sensitive information, which is when encryption matters the most.

For those wondering, the ‘Not Secure’ message in the URL bar of Safari on iPhone, iPad, and Mac OS was introduced with iOS 12.2 update and MacOS 10.14.4 update, and will likely persist with future iOS and MacOS versions of Safari too. It’s also worth pointing out that the Google Chrome browser has a similar ‘Not Secure’ message in the address / search / URL bar in modern versions of Chrome as well.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Tips & Tricks, Troubleshooting


» Comments RSS Feed

  1. https_steven says:

    Why is OSXDaily not using https at the first place? Even if I try to force https it redirects to http

    • Paul says:

      We use https on the admin side, http on the public side. We’ll have to tackle https on the public side at some point to avoid confusion.

      But ultimately there is no sensitive information being transmitted here, so it really does not matter much.

  2. Jake says:

    Honestly, it is annoying that they focus so much on saying the site is “not secure” if it doesn’t use SSL/TLS. Some sites are informational only and don’t need to be encrypted.

    • Paul says:

      I agree completely, and it only confuses people who don’t know that HTTP (“Not Secure”) has been the web standard they’ve been using for decades already before.

  3. Joe says:

    https://www.osxdaily.com = 24 Characters
    http://www.osxdaily.com = 23 Characters
    Not Secured – osxdaily.com = 26 Characters

    Once again. Apple tries to reinvent the wheel and make it bloated, like their apps and updates. I use to really like Apple. OS X actually (not an iPhone user) but they just annoying me now.

    • Imogene says:

      And because none of this is banking it doesn’t even matter.

      It’s alarmism. Like putting a big NOT SECURE sticker on a car because it might theoretically get into a car accident.

  4. James says:

    https doesn’t just encrypt content it also prevents it from being modified. Hotels have been found changing the ads in news pages and replacing them with their own to make money. The company hosting the page loses the ad revenue.

    • Paul says:

      That is true too, I have heard of some telecom companies doing that same thing in other parts of the world as well.

      And for web sites that are ad-supported, that should be a good motivating factor to get migrated to https!

  5. eva says:

    this site IS using a https and it still says that on my iPhone but not my mac

Leave a Reply


Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks


iPhone / iPad