Chrome takes another step toward squashing HTTP-only websites
Google’s Chrome web browser will begin next year to warn users when an unencrypted web page requests a password or asks for credit card details, the company said Thursday.
In a blog post, Emily Schechter, a member of Chrome’s security team, notes the browser’s current policy of a neutral icon in the address bar for plaintext HyperText Transfer Protocol (HTTP) websites, “doesn’t reflect the true lack of security for HTTP connections.”
“When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you,” she writes. This means information users send to an HTTP website can be stolen quite easily, and their browsing activity can be monitored.
As a result, Google and other internet companies have been working to extend the use of Secure HTTP, or HTTPS. These websites, often denoted by the padlock in a browser’s address bar, establish an encrypted connection between the site and the user. Traffic cannot be monitored and the user can be reasonably certain that the site is genuine and not being tampered with.
Sites that use HTTPS have to provide a special digital certificate to guarantee their validity.
For more than a decade, HTTPS has been the default standard for banking and e-commerce websites — but not elsewhere. For several years, internet security advocates have been campaigning to change that.
In June last year, for instance, a policy memo from Federal CIO Tony Scott required new U.S. government websites to use only HTTPS — and for existing federal websites to transition by the end of the year. According to a dashboard the memo established, 53 percent of federal websites currently use HTTPS.
In Thursday’s blog post, Schechter notes that campaign is succeeding elsewhere, too — the proportion of HTTPS pages loaded in Chrome browsers worldwide recently topped 50 percent.
“Studies show that users do not perceive the lack of a ‘secure’ icon [like the padlock-in-a-browser] as a warning,” she wrote, but adds that users also quickly begin to ignore “warnings that occur too frequently.”
As a result, Google plans to stagger its efforts to “label HTTP sites more clearly and accurately as non-secure.”
“Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as ‘not secure,’ given their particularly sensitive nature,” Schechter wrote, adding that other steps would follow later in the year. For instance, later versions of the browser will begin labelling HTTP pages as “not secure” when users are “in Incognito mode, where [they] may have higher expectations of privacy.”
Eventually, she states, “we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to a warning red triangle.”
Currently, that warning is only displayed when there is a problem with an HTTPS site — typically an expired certificate.