Why Does Safari Say “Not Secure” for Some Webpages on iPhone, iPad, or Mac?

Mar 29, 2019 - 23 Comments

Not Secure Safari message

If you’re a Safari user who recently updated iOS or MacOS, you may occasionally run into a “Not Secure” message near the top of the screen when viewing some websites or while browsing the web.

That ‘Not Secure’ text is simply a notification from Safari that the webpage or website is using HTTP, rather than HTTPS. This is also reflected in the URL prefix of a website, for example https://osxdaily.com vs https://osxdaily.com


The “Not Secure” message is not an indication of any change in device security. In other words, the device and website is no more or no less secure than it was before updating the web browser and seeing the “Not Secure” message. By seeing the ‘Not Secure” Safari message on an iPhone, iPad, or Mac you are simply being informed by Safari that the website or webpage being visited is using HTTP rather than HTTPS, or perhaps that HTTPS is misconfigured at some technical level.

The “Not Secure” message may also be seen if the website has an expired SSL certificate, or an improperly configured SSL certificate, in which case that is an issue with the website itself. Again, this is not reflective of on-device security (ie; the iPhone, Mac, iPad, etc is not any less secure, it’s an issue with the website itself).

HTTP stands for HyperText Transfer Protocol and has been the standard web protocol since the beginning of the web. By default, HTTP does not encrypt communication to and from the website. You can learn more about HTTP on Wikipedia if interested.

HTTPS stands for HyperText Transfer Protocol Secure, and until recently was mostly reserved for websites where encryption matters, like with an online banking website, or anything where submitting sensitive data to and from a web site should be encrypted. When a website is using HTTPS properly it means the communication to and from the website is encrypted. You can learn more about HTTPS on Wikipedia if you’re interested.

Because both Safari and Chrome now use the “Not Secure” text in the URL bar of HTTP pages, it’s likely that more and more webpages will start moving to HTTPS simply to avoid any confusion for site visitors. Moving to HTTPS from HTTP is a technical process, so while many websites will have moved to HTTPS already others have not yet done so and remain on HTTP.

It is worth pointing out that if you see a “Not Secure” message on an online banking website or a website where you are want to transmit sensitive data like a credit card number or social security number, than you should probably close that website. However, if you see the “Not Secure” text on a website where you are not inputting or transmitting any sensitive data, like a news website, information site, blog, or personal site, it likely doesn’t matter much as long as there are no logins and no transfer of sensitive information, which is when encryption matters the most.

For those wondering, the ‘Not Secure’ message in the URL bar of Safari on iPhone, iPad, and Mac OS was introduced with iOS 12.2 update and MacOS 10.14.4 update, and will likely persist with future iOS and MacOS versions of Safari too. It’s also worth pointing out that the Google Chrome browser has a similar ‘Not Secure’ message in the address / search / URL bar in modern versions of Chrome as well.

.

Related articles:

Posted by: Paul Horowitz in Tips & Tricks, Troubleshooting

23 Comments

» Comments RSS Feed

  1. Cliff Esler says:

    Your suggestion to learn more about the protocol by visiting https://en.wikipedia.org/wiki/HTTPS might have been useful if Safari hadn’t said “cannot open because this website is not secure” !! Try updating the article to address older iOS versions.

  2. chris fox says:

    Great article. Tells me everything I never wanted to know about why I can’t browse to a website. So much “doesn’t work, don’t care” in this article.

    • In says:

      So glad it helped you understand why you might see the “Not Secure” badge on a website. It can also be because of expired certificates etc, but just Not Secure will not block you from seeing a site.

  3. Nikolo says:

    This is helpful thanks for the information, sounds like scare mongering!

  4. Shelly Andrea says:

    I now understand why people suddenly decide to go off to live in the middle of the woods. I give up. I used to love modern technology, but I don’t like being spied on. I’m going off grid.

  5. Itdoesmatter says:

    I can’t even bloody open my hospital website to get a contact number for a ward as it says “not secure” and won’t open, so I don’t know what others are saying that it doesn’t affect your browsing! It does!. 😡

  6. Jill says:

    Even this site is ‘Not Secure’! Will I regret writing on here.
    I’ve just spent an hour on Vodafone chat about it thinking my phone had been hacked. I was told to change my browser to Chrome or Firefox.

  7. Andrea says:

    I don’t care if I can still search. How do I turn the damn thing off? I have an iPad. I don’t want one more thing to ignore.
    I accidentally hit the update button and I’m always sorry. Apple seems to delight in aggravating users.

  8. Julia Marie Holtzclaw-Knight says:

    Is there anyway to turn it off or turn whatever off that’s making it do this? Almost everything I try to search does it and I can’t do anything!! I’m very angry 😡

    • Bout says:

      Are you seeing something else? Certificate warnings? What is the device or OS?

      The “Not Secure” Safari badge is only a message and has no impact on the ability to use Safari or the websites, you can still search and go to websites as normal, it’s just a goofy message that can be ignored with no impact on using websites, the only websites where it matters are banking and personal data website like health, email, financial, tax, etc. All it is basically is a notification indicating the website is HTTP rather than HTTPS. For the vast history of the web, HTTP was used until very recently.

  9. eva says:

    this site IS using a https and it still says that on my iPhone but not my mac

  10. James says:

    https doesn’t just encrypt content it also prevents it from being modified. Hotels have been found changing the ads in news pages and replacing them with their own to make money. The company hosting the page loses the ad revenue.

    • Paul says:

      That is true too, I have heard of some telecom companies doing that same thing in other parts of the world as well.

      And for web sites that are ad-supported, that should be a good motivating factor to get migrated to https!

  11. Joe says:

    https://www.osxdaily.com = 24 Characters
    https://osxdaily.com = 23 Characters
    Not Secured – osxdaily.com = 26 Characters

    Once again. Apple tries to reinvent the wheel and make it bloated, like their apps and updates. I use to really like Apple. OS X actually (not an iPhone user) but they just annoying me now.

    • Imogene says:

      And because none of this is banking it doesn’t even matter.

      It’s alarmism. Like putting a big NOT SECURE sticker on a car because it might theoretically get into a car accident.

  12. Jake says:

    Honestly, it is annoying that they focus so much on saying the site is “not secure” if it doesn’t use SSL/TLS. Some sites are informational only and don’t need to be encrypted.

    • Paul says:

      I agree completely, and it only confuses people who don’t know that HTTP (“Not Secure”) has been the web standard they’ve been using for decades already before.

  13. https_steven says:

    Why is OSXDaily not using https at the first place? Even if I try to force https it redirects to http

    • Paul says:

      We use https on the admin side, http on the public side. We’ll have to tackle https on the public side at some point to avoid confusion.

      But ultimately there is no sensitive information being transmitted here, so it really does not matter much.

      • https_bob says:

        Paul, your argument is not exactly accurate:

        https://https.cio.gov/everything/

        > Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace. Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site