Non-HTTPS Sites To Be Labeled “Not Secure” by Chrome

Google has made the following announcement as to the way Chrome will handle non-https sites.

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. https://4.bp.blogspot.com/-rBbNGiLQzMw/V9CudVXYkjI/AAAAAAAAAWk/SIol_AChYQITBcYJ34xcGsC0a7_VP755gCLcB/s640/blog%2Bimage%2B1.png](https://4.bp.blogspot.com/-rBbNGiLQzMw/V9CudVXYkjI/AAAAAAAAAWk/SIol_AChYQITBcYJ34xcGsC0a7_VP755gCLcB/s1600/blog%2Bimage%2B1.png)
[LEFT] Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.[/LEFT]
[LEFT] A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.[/LEFT]
[LEFT] Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.[/LEFT]
[LEFT] In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.[/LEFT]
https://3.bp.blogspot.com/-DG70U0Y-y9w/V9Cwuym53AI/AAAAAAAAAW0/6zO81T_hqWMjdAF_YYK7dfXV-26DL7OYACLcB/s400/blog%2Bimage%2B2.png](https://3.bp.blogspot.com/-DG70U0Y-y9w/V9Cwuym53AI/AAAAAAAAAW0/6zO81T_hqWMjdAF_YYK7dfXV-26DL7OYACLcB/s1600/blog%2Bimage%2B2.png)
[LEFT] We will publish updates to this plan as we approach future releases, but don’t wait to get started moving to HTTPS. HTTPS is easier and cheaper than ever before, and enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. Check out our set-up guides to get started.
[/LEFT]

Original announcement here.

That’s okay, I personally label Chrome as “Not Secure”.:stuck_out_tongue:

  1. http is about “not secure” as can be, unless the content itself is encrypted or obfuscated everything can be easily sniffed and read with a simple text editor. And, today https can validate the website by matching the URL with DNS information.

  2. The majority of content on the Web is not particularly sensitive, so lack of security is a minor concern. Maybe one day someone will vandalize connections (eg replacing real facts with fact facts) so that even casual web browsing might be threatened. That would be something! And only then maybe the entire Web will need to be SSL.

  3. There are plenty of borderline examples whether SSL should be implemented or not, and these Forums is an example. As recently as a couple years ago these openSUSE forums were accessible using http (no SSL). I am glad that a decision was made to enforce SSL to ensure the integrity of the content.

  4. The Google announcement is interesting, and timely. It’s better to be a little early rather than wait for exploits to appear before taking action.

  5. Note that because of AJAX, blatant lack of encryption (Like the first couple years after Microsoft bought Hotmail. Default was no SSL but was avaiable but only if you typed https) is not the only scenario. More insidious is when AJAX exchanges sometimes sensitive data without invoking SSL and may never be reported by the Browser.

If this is important to you,
I highly recommend installing the “HTTPS Everywhere” browser plugin from the EFF(And if you don’t know who the EFF is, do take a look at, and research who they are)
https://www.eff.org/https-everywhere

The plugin tests every http connection you make for a possible SSL, and if one is available will automatically switch you over to the encrypted connection.

TSU

Great post, thanks!

Just installed HTPPS Everywhere from the EFF site, seems good. Privacy Badger, from their site, is also highly recommended IMO.

I understand that Google is also sponsoring Caddy so that people will have no excuse not to use https when they should. BTW KDE’s Konqueror has long warned when moving from an https to an http site. So this is nothing new.