Google reported that from January 2017, the Web browser Chrome will start marking HTTP sites as non-secure when they transmit sensitive information like credit card data or passwords.
Chrome already signals the security of a connection through an icon in the address bar but HTTP connections have not been marked as non-secure yet. However, this is about to change as Chrome version 56 is scheduled to be available at the beginning of next year. Google reports that the long-term aim is all HTTP sites to be labeled as non-secure.
At this point, HTTP connections are indicated with a neutral indicator by Chrome. However, as Emily Schechter from Chrome Security Team says, this “doesn’t reflect the true lack of security for HTTP connections.” Schechter also explains that thanks to the non-secure HTTP, when a website is loaded, the crooks would be able to monitor it or change it before the users even access it.
Login and credit card credentials are the exact type of valuable information no one would want to put at risk over HTTP. In January, Mozilla also took more preventive measures by updating its Firefox browser to warn of password requests over HTTP. Mozilla did this out of fear that login pages, when sent over non-secure connection, could be compromised by Man-in-the-Middle (MitM) attacks.
With this modification in Chrome that is about be implemented, Google takes one more step to the desired more secure web traffic aim. As Schechter says, a “substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing.” And yet, even though more than 50% of the Chrome desktop page loads are now served over HTTPS, the others are still served over HTTP.
When Chrome starts marking HTTP sites as non-secure, users may understand clearly the risk these webpages pose. Most users don’t consider as a warning the fact that a “secure” icon is missing but if these warning start appearing too often, people would pay them even less attention. That’s why Google will mark HTTP connections as non-secure little by little, starting with Chrome 56 which will flag only pages with credit card form fields or passwords.
“In following releases, we will continue to extend HTTP warnings, for example, by labeling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” – continues Schechter.
Last year, in order to embolden webmasters to improve the security of their websites, Google started boosting HTTPS pages in search results. Earlier this year, the company also began monitoring the use of HTTPS on top 100 sites. Luckily, all these measures gave a result as, in April, WordPress.com offered all hosted sites free HTTPS. All website owners are strongly advised to move to HTTPS as quickly as they can.
“HTTPS is easier and cheaper than ever before, and enables both the best performance the web offers and powerful new features that are too sensitive for HTTP.” – Schechter adds.
Thanks to open Certificate Authorities like Let`s Encrypt, HTTPS certificates are available for free.