Google will name and shame insecure websites

Websites without HTTPS will be marked as “non-secure” from 2017

In 2017 Google Chrome will be warning website users that the sites are “not secure” if they are not using HTTPS.

Google are giving websites who broadcast passwords or credit card details until 2017 to move to the secure protocol, which encrypts communications between your browser and internet sites.

“Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure,” noted Emily Schechter of the Chrome security team, in a blog post.

The warning will be shown by Google to users with some text ahead of the URL in the address bar of the Chrome browser.

“In its warning it says “Not secure’,” he said in a blog post. “That’s not really the right terminology. What they really mean is ‘Not encrypted’.”

He noted that using HTTPS doesn’t mean the site is secure in other ways, “It would be a mistake, for instance, to find ourselves back in the bad old days when some users believed that the mere existence of a padlock in the browser bar meant that the site could be trusted and considered legitimate, when it was perfectly possible for criminals to set up a website with HTTPS if they wished or compromise a legitimate website that was using web encryption properly,” he added.

Due to the risk of users ignoring the warnings, Google fully intend to roll them out slowly and carefully. In January the first warnings will start to happen, they will only label as insecure pages using HTTP that have credit card or password fields.

After this the next step is they will extend HTTP warning to any page, no matter what the content is when opened in Incognito mode, “where users may have higher expectations of privacy”.

Currently, Chrome are highlighting that the connection is HTTP and not private via an icon, users will have to click on this icon to see this warning. When you are using Google’s browser, click on the icon before the URL in the address bar, then it will tell you that “your connection to this site is not private”

Longer term, it will show the words “not secure” and will let users click through for further information.

Importantly, Google has admitted that users are ignoring these security icons and warnings, which means they are becoming “blind to warnings that occur too frequently”.

Google feels they warrant the warning risk overload. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you,” noted Schechter.

Graham Cluley a security analyst has said that not only could the increase in warnings cause problems, but so could the terminology.

Schechter is a Chrome security member, he added: “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

This will mean that websites – including this our own TIVA IT Solutions Ltd, but also Google’s own Chromium blog – will have to upgrade to HTTPS to avoid visitors being shown a message that pages in general are insecure.

In additional Schechter has added that Google’s traffic statistics show half of Chrome desktop page loads are already served over HTTPS.