Websites that insist on sticking with HTTP will have a public relations issue on their hands, beginning today: All of them, without exception, will be labeled as insecure by Google Chrome from now on.
Anyone using the Chrome web browser will be served up a warning message anytime they surf to an HTTP page, as part of the internet giant’s release of Chrome 68. The website will be flagged as “not secure” in a hard-not-to-notice warning label in the navigation bar. Given that Chrome is the most widely used browser in the world, the impact can be significant for web pages that haven’t migrated to HTTPS, which encrypts traffic flowing to and from a site.
The reason for the move is simple: “When you load a website over plain HTTP, your connection to the site is not encrypted,” said Emily Schechter, Chrome security product manager, in today’s blog on the move. “With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit-card info) will be private when sent to the site.”
“When someone visits a website that does not use HTTPS, the entire interaction is broadcast in the clear for anyone on the network path to see,” added Josh Aas, executive director of the Internet Security Research Group, the organization behind Let’s Encrypt, in an email to Threatpost. “Furthermore, the interaction can be tampered with to include anything from ads to malware.”
To be fair, webmasters can hardly be caught unaware by Google’s policy: The plan to do this has been in the works for two years. Google announced in 2016 that it would be encouraging encryption on the web by slowly and steadily moving in on HTTP sites with warning notifications. Last year, with the January 2017 release of Chrome 56, Google started putting warnings on desktop HTTP pages with password or credit-card forms. October 2017’s Chrome 62 added “not secure” warnings for when users enter data on a HTTP page, and for any HTTP page a user visits while in the browser’s incognito mode.
Schechter said that since the announcement nearly two years ago, HTTPS usage has made “incredible progress.” Google’s latest Transparency Report showed that 76 percent of Chrome traffic on Android is now HTTPS-protected, up from 42 percent in 2016; while 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent.
Also, 83 of the top 100 sites on the web (as ranked by Alexa) use HTTPS by default, up from 37 two years ago.
Further, to date, HTTPS certificates from automated tool Let’s Encrypt cover over 113 million websites (up from 89 million just last month), and the organization said that it’s on track to encrypt more than 150 million websites by the end of 2018.
“We expect Google Chrome’s new warnings to contribute significantly to that growth, as well as HTTPS growth on the web in general,” Aas said. “We regularly engage with hosting providers regarding current and upcoming HTTPS deployments. Hosting providers of all sizes are accelerating their plans to move websites to HTTPS as a direct result of Google Chrome 68’s user interface changes.”
While it seems a fait accompli, this isn’t the end of the effort, according to Schechter – there’s a web encryption 2.0 plan underway as well.
“Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure,” she explained.
Google will roll this out over time, starting by removing the “secure” wording in September with Chrome 69. In October, with the release of Chrome 70, the browser will start showing a red “not secure” warning when users start typing in data in forms on HTTP pages, to get their attention.