Chrome now says all HTTP sites are “not secure” but is it a good thing?

Google is ready to roll out Chrome 68 to the world and in doing so will drastically change how it communicates what sites are safe to visit and those that it says are not. 

Chrome, the most popular browser in the world has more than a billion Windows, Mac and Linux users and as of today it’s going to take a major step in Google’s two-year campaign to drag the world across to HTTPS or HTTP “Secure”, which means the connection between the user and site is encrypted and data is protected. 

Over the last few years Google has been marking more HTTP pages as not secure, it’s most notable shift coming in Chrome 56 in January 2017 when it began labeling pages where users input passwords or credit card data as "not secure" if it is HTTP and not HTTPS.  

In Chrome 62, released in October, HTTP pages were marked as “not secure” if the user was browsing in “incongnito mode” plus on pages that contain a password field and any page that the use can input any data. 

Today, with the release of Chrome 68, all HTTP pages will display the words “Not Secure” rather than the previous neutral message, which said nothing if any page except ones where users type sensitive information on a HTTP page.     

It’s all part of Google’s carrot and stick approach to dragging websites to HTTPS, which is one way to prevent eavesdroppers from scooping up sensitive information in transit like the passwords and credit card information that Google initially said it wanted to protect. HTTPS can’t stop hackers from breaching say a online ticket seller and stealing credit card numbers they stored, but attackers at least can’t get the information as it moves between browser and the site.      

The next phase begins today with the release of Chrome 68 which will mark all HTTP pages as “Not Secure”. 

“Chrome’s “not secure” warning helps you understand when the connection to the site you're on isn’t secure and, at the same time, motivates the site's owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress,” said Emily Schechter, Chrome security product manager. 

Google claims that 76 percent of Chrome traffic on Android is now HTTPS, and 83 of the top 100 sites use HTTPS by default. 

The change is mostly for Chrome on the desktop. Due to space limitations, on Android Google has taken a different approach, opting for an “i” icon to indicate potential badness. 

When Chrome 69 arrives in September Google plans to remove the word “secure” for all sites unless they’re not secure. Then in October, with Chrome 70, it will show a red “not secure” warning for pages where users enter data on HTTP pages. 

Firefox implemented its own version of in-context warnings for sites where users input passwords or credit card data on pages, but it dwarfed by Chrome's share of users on all OS platforms. 

Google has willed the web to move in its direction through organizations like Let’s Encrypt, a Certificate Authority that it sponsors to give out free and automated SSL certificates. 

Not everyone is supportive of Google’s HTTPS push. As noted by Wired, Dave Winer, a creator of RSS and noted agitator against Google’s power over the web, in February complained that Google’s effort to “deprecate HTTP”, was bad for the web because the web was meant to be an “open, not a corporate platform” and that Google, as a guest, should not define its rules. 

The move to marking all HTTP sites as “not secure” exemplified this notion since some of those sites that will be marked negatively don’t even ask for user information. Users will see the warning and mindlessly hit the back button, he worried. 

Perhaps even worse, Google’s plan to steer people away from HTTP sites will make a lot of the web’s history inaccessible; Winer compared Google’s HTTPS initiative to a “massive book burning” on an unprecedented scale. 

If HTTPS was as good as Google claims it is, site operators would willingly do it but with a gatekeeper as big as Google controlling traffic to websites, site operators — including operators of small blogs — are forced to do something that benefits Google but does not clearly benefit them. They would be faced with warnings from Google like the one that Winer himself received in June

Read more: How Microsoft helped neuter ‘double zero-day exploit’ before anyone was infected

Winer’s key concern is that Google may be killing off a space for experimentation that low barriers to entry created and are are now being made higher, despite initiatives such as Let’s Encrypt. Safety in this case, comes at a cost. 

“The web is not safe. That is correct. We don't want every place to be safe. So people can be wild and experiment and try out new ideas. It's why the web has been the proving ground for so much incredible stuff over its history. 

Lots of things aren't safe. Crossing the street. Bike riding in Manhattan. Falling in love. We do them anyway. You can't be safe all the time. Life itself isn't safe. 

If Google succeeds in making the web controlled and bland, we'll just have to reinvent the web outside of Google's sphere. Let's save some time, and create the new web out of the web itself,” wrote Winer.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftGoogleencryptionFirefoxmozillachromeHTTPHTTPS

More about GoogleLinuxManhattan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts