Google’s Emily Schechter of the Chrome Security Team said on Thursday that starting with Chrome 56, slated to arrive in January 2017, the browser will visually inform users when HTTP sites are not securing the transmission of their credit card information and/or passwords. Google will eventually list all HTTP sites as non-secure, so this is a step in that direction.
Right now, Chrome visually indicates a secured website with a green HTTPS label in the address bar. However, when users visit a non-secure HTTP website, the browser throws up a neutral indicator indicating that the user might be at risk from a non-secure connection. According to Schechter, someone on the network could modify the HTTP website before it reaches the user’s browser.
When Chrome 56 lands next year, the browser will add a “not secure” label to the left of the website’s address in addition to the neutral indicator when the site doesn’t secure the form fields of credit card numbers and passwords.
Eventually all HTTP pages will don the red non-secure triangle that the company currently uses for broken HTTPS websites. However, getting to that point will be gradual, and based on “increasingly stringent criteria.” One step in that direction will be labeling HTTP pages as non-secure when users are browsing the Internet in incognito mode.
If you’re not sure what HTTPS is all about, it’s short for HyperText Transfer Protocol Secure. That essentially means all data passed between the website and the user’s browser is encrypted so that hackers intercepting the transmission can’t access your credentials. The technology behind this encrypted transmission is called Secure Sockets Layer, or SSL, and essentially each side has a “key” to decrypt the data transmission, locking hackers out.
Unfortunately, HTTP sites don’t do this, allowing anyone to “eavesdrop” on the transmission between a webpage and its visitors. Even worse, hackers can modify these websites, after gaining login credentials, to install malware. And although Chrome warns users that they could be at risk in accessing an HTTP website, not all users perceive this warning as a lack of security. Even more, according to Schechter, users can become “blind” to warnings that occur too many times.
“A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing,” Schechter said. “We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.”
Google’s plan for identifying non-secure websites reveals that HTTP sites accessed by Chrome will still work, and that the company has no plans to block these sites within the browser. However, this plan mainly addresses the concerns of websites that have yet to transition to HTTPS, and lists ways sites can grab free and cheap keys (certificates) for setting up a secure connection. A number of set-up guides can be found here as well.