Google is to start shaming websites into using HTTPS. The tech giant will make it much more apparent when a website is not using encryption to secure the connection between a website and a user's browser.
In a blog post, Emily Schechter of Google's Chrome Security Team said that from the beginning of January 2017, Chrome (version 56) would mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
“Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you,” she said.
She added that a substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing.
“We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS,” said Schechter.
She admitted that studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently.
“Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as ‘not secure,' given their particularly sensitive nature,” she said.
She added that Google would continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.
“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” said Schechter.
Kevin Bocek, chief security strategist at Venafi, told SCMagazineUK.com that Google is taking a great step toward improving security on the web by alerting users to websites that are using weak encryption that endangers security and privacy. But he warned that it remains to be seen if users will pay attention.
“Unfortunately, many organisations are struggling to keep up with Google's efforts to increasing authentication, confidence, and privacy,” he said.
“Many organisations still blindly trust all encrypted traffic, even though we know that cyber-criminals have been able to subvert encryption in a variety of cyber-attacks. As far back as 2012, a broad range of industry voices, including Gartner, started sounding the alarm on this topic but, so far, most organisations have been less than responsive. Let's hope that that is about to change.”
Mark James, security specialist at ESET, told SC that anything that enables people to get a better understanding of the current state of their security is a good thing.
“There are so many things the end user has no control over when it comes to others managing their private data but you can decide if you want to use an insecure connection, especially if you're dealing with the input of private data,” he said.
Gareth O'Sullivan, senior director of Solutions Architecture at WhiteHat Security, told SC that using HTTPS could give users a false sense of security as there are a host of other security considerations which should be made when maintaining or using a website. But, he added, “utilising transport encryption is an important control”.