Why Does Safari Say “Not Secure” for Some Webpages on iPhone, iPad, or Mac?
If you’re a Safari user who recently updated iOS or MacOS, you may occasionally run into a “Not Secure” message near the top of the screen when viewing some websites or while browsing the web.
That ‘Not Secure’ text is simply a notification from Safari that the webpage or website is using HTTP, rather than HTTPS. This is also reflected in the URL prefix of a website, for example https://osxdaily.com vs https://osxdaily.com
The “Not Secure” message is not an indication of any change in device security. In other words, the device and website is no more or no less secure than it was before updating the web browser and seeing the “Not Secure” message. By seeing the ‘Not Secure” Safari message on an iPhone, iPad, or Mac you are simply being informed by Safari that the website or webpage being visited is using HTTP rather than HTTPS, or perhaps that HTTPS is misconfigured at some technical level.
The “Not Secure” message may also be seen if the website has an expired SSL certificate, or an improperly configured SSL certificate, in which case that is an issue with the website itself. Again, this is not reflective of on-device security (ie; the iPhone, Mac, iPad, etc is not any less secure, it’s an issue with the website itself).
HTTP stands for HyperText Transfer Protocol and has been the standard web protocol since the beginning of the web. By default, HTTP does not encrypt communication to and from the website. You can learn more about HTTP on Wikipedia if interested.
HTTPS stands for HyperText Transfer Protocol Secure, and until recently was mostly reserved for websites where encryption matters, like with an online banking website, or anything where submitting sensitive data to and from a web site should be encrypted. When a website is using HTTPS properly it means the communication to and from the website is encrypted. You can learn more about HTTPS on Wikipedia if you’re interested.
Because both Safari and Chrome now use the “Not Secure” text in the URL bar of HTTP pages, it’s likely that more and more webpages will start moving to HTTPS simply to avoid any confusion for site visitors. Moving to HTTPS from HTTP is a technical process, so while many websites will have moved to HTTPS already others have not yet done so and remain on HTTP.
It is worth pointing out that if you see a “Not Secure” message on an online banking website or a website where you are want to transmit sensitive data like a credit card number or social security number, than you should probably close that website. However, if you see the “Not Secure” text on a website where you are not inputting or transmitting any sensitive data, like a news website, information site, blog, or personal site, it likely doesn’t matter much as long as there are no logins and no transfer of sensitive information, which is when encryption matters the most.
For those wondering, the ‘Not Secure’ message in the URL bar of Safari on iPhone, iPad, and Mac OS was introduced with iOS 12.2 update and MacOS 10.14.4 update, and will likely persist with future iOS and MacOS versions of Safari too. It’s also worth pointing out that the Google Chrome browser has a similar ‘Not Secure’ message in the address / search / URL bar in modern versions of Chrome as well.