Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

HTTP Sites Should Be Marked as Non-Secure: Chrome Security Team

Web browsers should inform users when they are accessing a website over the Hypertext Transfer Protocol (HTTP) to make them aware of the fact that there is no data security, the Chrome Security Team said in a proposal published over the weekend.

Web browsers should inform users when they are accessing a website over the Hypertext Transfer Protocol (HTTP) to make them aware of the fact that there is no data security, the Chrome Security Team said in a proposal published over the weekend.

HTTP websites expose users to surveillance, data theft, malware injection and other threats. HTTPS provides an extra layer of security and sites that utilize it are marked with a padlock icon which informs users that their connection is secure.

However, the Chrome Security Team believes users should also be warned when they visit HTTP sites and, in the long term, after secure origins are widely deployed, only these non-secure connections should be marked.

“We know that people do not generally perceive the absence of a warning sign. Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP,” experts wrote in their proposal.

Currently, Web origins can be classified into three categories: secure (valid HTTPS), dubious (valid HTTPS with mixed passive resources or minor TLS errors), and non-secure (HTTP and broken HTTPS).

The Chrome Security Team proposes that browser vendors start transitioning to a new warning model. First, by marking insecure origins as “dubious,” and then by marking them as “non-secure.” Ultimately, secure origins should be left unmarked.

These steps can be taken after certain predetermined periods of time, or based on the ratio of user interaction with secure and non-secure origins. For example, when more than 65% of origins are secure, non-secure origins are marked as “dubious.” Later, when 75% of origins are secure, non-secure origins are marked as “non-secure.”

“UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints,” the Chrome Security Team said.

In the case of Google Chrome, a transition plan will be devised and deployed in 2015. In the meantime, vendors, developers and users are urged to provide feedback on the proposal. Some of those who have commented so far applaud the initiative, including Opera Software developer Sigbjørn Vik. Others are skeptical and some even believe it’s a bad idea.

Over the past months, Google has made several changes to protect and warn Chrome users. In February, the company started prompting Chrome users when their settings are hijacked by malware. In June, it introduced and end-to-end encryption extension.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...