Nearly two years ago, Google made a pledge: It would name and shame websites with unencrypted connections, a strategy designed to spur web developers to embrace HTTPS encryption. On Tuesday, it finally is following through.

With the launch of Chrome 68, Google now will call out sites with unencrypted connections as “Not Secure” in the URL bar. The move flips the convention of how Chrome displays the security of sites on its head. Previously, pages that deployed HTTPS-enabled encrypted connections featured a green lock icon and the word “Secure” in the URL bar. HTTP sites had a small icon that you could click for more information; if you did, it read “Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.”

It’s a warning worth heeding. Under an unencrypted HTTP connection, any information that you send across the web can be intercepted by a hacker or other bad actor. In extreme cases, like in what are called man-in-the-middle attacks, someone could pose as a destination site—tricking you into handing over your credentials, credit card info, or other sensitive information.

“Encryption is something that web users should expect by default,” says Chrome security product manager Emily Schechter.

The use of HTTP has privacy implications as well. If you’re browsing on an unsecured connection, your internet provider and any bad actors can hypothetically see not just which site you’re on, but what specific pages. Not so with HTTPS, a benefit that has clear implications for, say, adult sites. Even innocuous sites—pages that neither ask for nor contain sensitive information—have good reason to embrace it.

'Encryption is something that web users should expect by default.' Emily Schechter, Google

“You may occasionally be in a coffee shop. If you go to a non-HTTPS site, sometimes you’ll get ads that pop over the page. Those aren’t ads from the web page; they’ve been injected somewhere along the way. That kind of behavior is what HTTPS overcomes,” says Ross Schulman, senior counsel at New America’s Open Technology Institute. “It’s not just ads. Malware is served this way, a lot. It’s not just about making sure that user information is private; it really ensures the integrity of the website.”

Sticking a warning sign in front of unencrypted sites is just one step in a broader ongoing plan. In January 2017, Chrome put a warning on sites that asked for credit card information. Several months later, they instituted it on HTTP sites in so-called incognito windows.

Despite the broader security benefits, Google’s HTTPS push is not without its critics. Developer Dave Winer, one of the creators of RSS, objects to what he views as Google imposing its will on the open web. “The fact is that they’re forcing it,” says Winer, who also wrote a detailed objection in February. “They’re just the tech industry. The web is so much bigger than the tech industry. That’s the arrogance of this.”

Winer worries that forced HTTPS adoption—and scolding sites that don’t embrace it—will penalize web developers who don’t have the wherewithal to implement it, and potentially cordon off older, passively managed corners of the internet. He also says that Google won't stop here: “Was this the only way to achieve this end? Because this is draconian. If this were done properly, it would have been deliberated, and a lot of people who aren't in the tech industry would have had a say in it.”

For what it’s worth, Chrome is not alone in posting warnings next to HTTP sites; Firefox has explored it also. Between the two, they hold 73 percent of browser market share. In addition, Google notes that the vast majority of Chrome traffic—76 percent on Android, and 85 percent on ChromeOS—already travels across an HTTPS connection. Gains have come not only from Google, but also from a broader push toward HTTPS that ranges from hosting sites like WordPress and Squarespace, to internet infrastructure firms like Cloudflare, to Let’s Encrypt, which provides free certificates that enable HTTPS connections. As of Tuesday, Let's Encrypt is encrypting 113 million sites.