The Chrome browser will soon start flagging sites with password or card number fields that don’t use encryption. The change in January will be the first of a multi-step process.

Until now Chrome has worked like most browsers by putting the emphasis on positively identifying secure sites with the familiar padlock icon in the address bar and the “https://” beginning written in green.

Google cites testing which raises two problems with this approach: users don’t really take much notice of the fact that unsecure sites don’t have this label, and users stop paying attention if they see too many security warnings.

From version 56 of Chrome, due for release in January, HTTP sites which transmit data and have form fields for passwords or credit cards will be labelled with a warning triangle icon and the words “Not secure”, both in red, appearing before the site address.

The company plans to step this up over time. The next step is likely to be putting this warning on all HTTP sites, regardless of content, if the user is running Incognito (private browsing) mode. The plan is to eventually apply this to all HTTP sites regardless of the circumstances.