Security Experts:

HTTP Sites Should Be Marked as Non-Secure: Chrome Security Team

Web browsers should inform users when they are accessing a website over the Hypertext Transfer Protocol (HTTP) to make them aware of the fact that there is no data security, the Chrome Security Team said in a proposal published over the weekend.

HTTP websites expose users to surveillance, data theft, malware injection and other threats. HTTPS provides an extra layer of security and sites that utilize it are marked with a padlock icon which informs users that their connection is secure.

However, the Chrome Security Team believes users should also be warned when they visit HTTP sites and, in the long term, after secure origins are widely deployed, only these non-secure connections should be marked.

"We know that people do not generally perceive the absence of a warning sign. Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP," experts wrote in their proposal.

Currently, Web origins can be classified into three categories: secure (valid HTTPS), dubious (valid HTTPS with mixed passive resources or minor TLS errors), and non-secure (HTTP and broken HTTPS).

The Chrome Security Team proposes that browser vendors start transitioning to a new warning model. First, by marking insecure origins as "dubious," and then by marking them as "non-secure." Ultimately, secure origins should be left unmarked.

These steps can be taken after certain predetermined periods of time, or based on the ratio of user interaction with secure and non-secure origins. For example, when more than 65% of origins are secure, non-secure origins are marked as "dubious." Later, when 75% of origins are secure, non-secure origins are marked as "non-secure."

"UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints," the Chrome Security Team said.

In the case of Google Chrome, a transition plan will be devised and deployed in 2015. In the meantime, vendors, developers and users are urged to provide feedback on the proposal. Some of those who have commented so far applaud the initiative, including Opera Software developer Sigbjørn Vik. Others are skeptical and some even believe it's a bad idea.

Over the past months, Google has made several changes to protect and warn Chrome users. In February, the company started prompting Chrome users when their settings are hijacked by malware. In June, it introduced and end-to-end encryption extension.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.