Starting in January 2017, Chrome will mark HTTP sites as non-secure when they transmit sensitive information such as passwords or credit card information, Google said this week.
The Web browser already signals the security of a connection through an icon in the address, bar but hasn’t explicitly labelled HTTP connections as non-secure. That will change early next year when Chrome 56 is scheduled to arrive. The long-term plan, Google says, is to mark all HTTP sites as non-secure.
At the moment, Chrome indicates HTTP connections with a neutral indicator, but that “doesn’t reflect the true lack of security for HTTP connections,” Emily Schechter, Chrome Security Team, Google, explains in a blog post. Because HTTP is not secure, when the user loads a website over HTTP, an attacker on the network could look at or modify the site before the user accesses it, Schechter says.
Sensitive information such as login credentials and credit card information represent the kind of data that users wouldn’t want to be compromised over HTTP. Also fearing that login pages can be manipulated by Man-In-The-Middle (MiTM) attacks when sent over a non-secure connection, Mozilla in January updated Firefox to warn of password requests over HTTP.
The upcoming change in Chrome will be another step that Google takes in its continuous push towards more secure web traffic. As Schechter notes, a “substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing.” However, just over half of the Chrome desktop page loads are now served over HTTPS, while the others remain on HTTP.
Once Chrome starts labeling HTTP sites more clearly and accurately as non-secure, users might become more aware of the danger these websites pose. The lack of a “secure” icon isn’t perceived as a warning, but the risk is to turn users blind to warnings if they occur too frequently. Thus, Google will label HTTP connections as non-secure gradually, beginning with Chrome 56, which will flag pages with password or credit card form fields only.
“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” Schechter continues.
Last year, Google announced that it was boosting HTTPS pages in search results, in an attempt to encourage webmasters to improve their site’s security. Earlier this year, the company also started monitoring the use of HTTPS on top 100 sites. This push towards HTTPS has already paid off, with WordPress.com announcing in April free HTTPS to all hosted sites.
Site owners are encouraged to move to HTTPS as soon as possible. “HTTPS is easier and cheaper than ever before, and enables both the best performance the web offers and powerful new features that are too sensitive for HTTP,” Schechter says. Courtesy of open Certificate Authorities such as Let’s Encrypt, HTTPS certificates can be grabbed for free.