Google Chrome will start ‘shaming’ unecrypted websites beginning in January.
The next version of the Chrome browser, Chrome 56, will mark HTTP login pages as “not secure” in a window next to the address bar.
Historically, Chrome has not explicitly labeled unencrypted connections as non-secure. According to Emily Schechter of the Chrome security team, those sites that transmit passwords or credit cards will be the first to be called out for a lack of “HTTPS,” followed by any unencrypted pages launched in “Incognito” mode, where users may have higher expectations of privacy. The long-term plan is to mark all HTTP sites as non-secure, using a red triangle indicator.
“Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections,” she said in a blog. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.”
She pointed out that a substantial portion of web traffic has transitioned to HTTPS so far: More than half of Chrome desktop page loads now served over HTTPS.
“Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria,” she said. “Studies show that users do not perceive the lack of a ‘secure’ icon as a warning, but also that users become blind to warnings that occur too frequently.
Kevin Bocek, VP of security strategy and threat intelligence for Venafi, told Infosecurity that while Google is taking a great step toward improving security on the web, it remains to be seen if users will pay attention.
“Unfortunately, many organizations are struggling to keep up with Google’s efforts to increasing authentication, confidence and privacy,” he said. “Many organizations still blindly trust all encrypted traffic, even though we know that cyber criminals have been able to subvert encryption in a variety of cyber-attacks. As far back as 2012, a broad range of industry voices, including Gartner, started sounding the alarm on this topic but, so far, most organizations have been less than responsive. Let’s hope that that is about to change.”
Source: Infosecurity Magazine