Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

HTTP Sites Should Be Marked as Non-Secure: Chrome Security Team

Web browsers should inform users when they are accessing a website over the Hypertext Transfer Protocol (HTTP) to make them aware of the fact that there is no data security, the Chrome Security Team said in a proposal published over the weekend.

Web browsers should inform users when they are accessing a website over the Hypertext Transfer Protocol (HTTP) to make them aware of the fact that there is no data security, the Chrome Security Team said in a proposal published over the weekend.

HTTP websites expose users to surveillance, data theft, malware injection and other threats. HTTPS provides an extra layer of security and sites that utilize it are marked with a padlock icon which informs users that their connection is secure.

However, the Chrome Security Team believes users should also be warned when they visit HTTP sites and, in the long term, after secure origins are widely deployed, only these non-secure connections should be marked.

“We know that people do not generally perceive the absence of a warning sign. Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP,” experts wrote in their proposal.

Currently, Web origins can be classified into three categories: secure (valid HTTPS), dubious (valid HTTPS with mixed passive resources or minor TLS errors), and non-secure (HTTP and broken HTTPS).

The Chrome Security Team proposes that browser vendors start transitioning to a new warning model. First, by marking insecure origins as “dubious,” and then by marking them as “non-secure.” Ultimately, secure origins should be left unmarked.

Advertisement. Scroll to continue reading.

These steps can be taken after certain predetermined periods of time, or based on the ratio of user interaction with secure and non-secure origins. For example, when more than 65% of origins are secure, non-secure origins are marked as “dubious.” Later, when 75% of origins are secure, non-secure origins are marked as “non-secure.”

“UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints,” the Chrome Security Team said.

In the case of Google Chrome, a transition plan will be devised and deployed in 2015. In the meantime, vendors, developers and users are urged to provide feedback on the proposal. Some of those who have commented so far applaud the initiative, including Opera Software developer Sigbjørn Vik. Others are skeptical and some even believe it’s a bad idea.

Over the past months, Google has made several changes to protect and warn Chrome users. In February, the company started prompting Chrome users when their settings are hijacked by malware. In June, it introduced and end-to-end encryption extension.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.