Around 2006 with the launch of MSIE 7.0, users witnessed a change of behaviour in how web browsers displayed the page address. Anytime the browser encountered the HTTPS page, the address bar would turn green.
There is potential of mischief in encryption too. It establishes a secure tunnel from your computer to a remote server. In a company for example, this arrangement would make it possible for any harmful program (e.g virus or ransomware) to bypass the firewall and antivirus of the main server and land on to one of the personal machines.
To thwart this, independent certification companies hand out authetification certificates. Famous names are Verisign and Godaddy. When the browser encounters an HTTPS page, it asks for the authentification certificate. It asks the server, how do I recognize you? Then the server shares its security certificate. The browser independently contacts the certification company to check whether the certificate is genuine or fake/imposter. In case everything is OK, the adress bar turned green, in case there is something wrong, depending upon the level of wrongness, the bar would turn pink or yellow. A common example of problem is that the security certificate has expired. (This is just like road tax/MV tax, the thing is still in place but cannot be legal because the token is not paid).
At that time, IE 7.0 would popup a balloon notification to educate the users about HTTPS. HTTPS used to be present since many years before but efforts on educating the users on how to recognize a secure connection AND trustworthy server were taken in view of rising phishing, banking fraud and other cybercrimes.
Around the same time, other browsers also adopted similar methods to highlight the verified HTTPS, unverified HTTPS and plain HTTP websites. The reasons were the same:
1. To announce that a secure (=encrypted) connection has been made.
2. To announce that the server authenticity has been verified from a renowned third-party. This makes it clear that e.g. it is your trusted ets.org that is taking money for TOEFL from you and not some fishy fraudster who wants to get to know your credit card number and SVV.
3. To encourage users to look for secure and trusted connection whenever they transact some sensitive data (monetary or password etc.)
The general behaviour of address bars in contemporary browsers is discussed here: https://en.wikipedia.org/wiki/Address_bar
More recently, the behaviour of address bar has grown far more diverse, depending on:
1. whether the connection is plain HTTP.
2. if the connection is HTTPS, there can be more than one type of behaviour depending upon what type of security certificate is present.
3. if the connection is HTTPS but no security certificate is present!
After this background on address bar behaviour, now comes the real message of this post. Recently google has announced an initiative to encourage more businesses to move on by-default site-wide HTTPS. The websites with plain HTTP will be highlighted and users would be notified that the connection with this website is not encrypted. To quote them: "The goal of this proposal is to more clearly display to users that HTTP provides no data security."
You can read the whole blog post here: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure (It also has a FAQ section at the bottom of the page which is helpful for developers, webmasters and users alike.)
Given Mozilla's Polaris Privacy Inititaive (https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/), and the fact that they are considering adding Tor encryption right into Firefox and the fact that this week they donated to Tor, it is predictible that other browser manufacturers would also prefer to adopt such a strategy.
The change in thinking: In the past, if a site was HTTPS it would be highlighted as being more trustworthy. If a website was plain HTTP then the browser did nothing special.
In the future, if a website is HTTPS, it will be announced that it is secure (just like before) ... but when a plain HTTP page is encountered, the browser will announce that it is not secure!
The transition will not happen overnight but stagewise.
Q: What effect will it have on routine websites like Pakwheels.com?
A: Users already trust the website and may as well feel there is no need for it to be HTTPS. But let's see, people do not like warnings. If every time somebody is visiting Pakwheels.com and Google Chrome tells them loudly, "This website is not secure", what sort of PR would the website get?
Q: Will the user traffic reduce?
A: I doubt the target customer of Pakwheels.com would care. Majority of them are young dare-devils who are already risk-takers (young people are not so risk-averse), plus as believers in destiny our society does not feel like heeding attention to any warnings. As per other cultural phenomenon, people who heed security warnings are called out to be weak, cowards or feminine (is it politically correct or not? This is a discussion for another time) and are shamed like anything. In addition, there are myriad other problems plaguing the country/society which are far more pressing, urgent, disastrous, violent and more attention-worthy, in view of which this seems like a small issue.
Q: Will the users go to another website which does not have this warning?
A: I still doubt, because Pakwheels.com enjoys monopoly in the automotive enthusiast web portal market just like Pak Suzuki in the passenger car market. Since the users have nowhere else to go, what could they do?
Q: How will Pakwheels.com get affected?
A: Pakwheels.com is getting increasingly commercial by the day. As witnessed by the recent investment by M/s Frontier DV (Ref: https://www.pakwheels.com/forums/site-feedback-suggestions/243840-pakwheels-raised-3-5-million-dollar-grow). Also, the main page has been recently overhauled and the Used Car search panel has been emphasized (Ref: https://www.pakwheels.com/blog/announcing-revamped-layout-pakwheels-com/) whereas Blog Posts and Recent Forum Activity have been made less important.
Imagine a potential investor visiting to Pakwheels.com the first time. Will impression will they get when Google Chrome greets them with a "This website is not HTTPS"? Most of the users would probably ignore the warning because their money (e.g. credit card #) is not at stake. But would an investor ignore it whose $$$ are going to get invested in the company?
Q: Is it for the benefit of Pakwheels.com to go site-wide HTTPS?
A: Yes! Although the staff of a company is in a better position to conduct a feasibility study compared to a consumer of their services, Pakwheels.com and their consumers, everyone would be better off with such a mechanism.
Pakwheels.com has many firsts to its credit, and it could as well be the first Pakistani website to adopt mass-scale HTTPS. Even the banks and stock brokers only deal the employee login and internet banking with HTTPS and the rest is in plain HTTP. Let's see what happens.
Meanwhile this is what Google Chrome shows (when manually writing https://www.pakwheels.com since it still does not default to HTTPS) when we log on today (31 Jan 2015). See the text outlined in the red box:
EDIT: Added link to Pakwheels blog post (for reference).