Starting tomorrow, Google Chrome will begin warning users who visit unencrypted websites that their traffic is flowing to an insecure location. It’s a transition we’ve covered several times already this year, and while it might seem to be a minor shift, getting news out to folks so they aren’t freaked out by the switch from “secure” messaging to “insecure” messaging is important — especially since some sites that don’t currently deploy HTTPS will undoubtedly need some time to finish doing so.
Today, browsers notify users that sites are secure with a green lock logo. After tomorrow, users will instead be told that sites are insecure rather than secure, and notified with various messaging from the browser vendors. The change is shown below:
Security researcher Troy Hunt is working on a site called WhyNohttps.com, which he intends to launch this week. It plans to gather a list of the largest websites that aren’t supporting HTTPS yet in the hopes of shaming them into adopting a more secure standard. CloudFlare has noted that despite more widespread adoption in recent months, a majority of the Top 1M most popular sites online are still insecure and do not offer HTTPS by default.
Friends, I’m after some support: @Scott_Helme and I are doing a little project with a site called https://t.co/Y4GlsInvu2 which will coincide with the Chrome 68 launch next week. It’ll list the world’s largest websites that don’t do HTTPS by default.
— Troy Hunt (@troyhunt) July 20, 2018
For those of you who aren’t aware, the “https” extension of HTTP means that a website is secured using Transport Layer Security, or TLS encryption. HTTPS protects against man-in-the-middle attacks, eavesdropping, and tampering with website data. It’s the functionality that Lenovo broke with its Superfish scandal several years ago, and is generally considered foundational to the entire question of browser security. And while not every website literally needs HTTPS, the availability of free encryption certificates from groups like LetsEncrypt (a non-profit founded by the EFF) makes it easier to adopt the security standard without paying hefty amounts of cash to do so.
Chrome is the first browser to take this step with HTTPS, but it’s expected that MS and Mozilla will both follow suit. Google’s web page on avoiding the “Not Secure” ranking in Chrome is available here. While somewhat dated (a few of the links on the page are from 2016), it appears to offer some useful information on avoiding Not Secure ratings, including the need to use native HTTPS rather than embedding an HTTPS login frame on an HTTP page. As the site says: “Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.”
Healthcare at SXSW 2018: Tomorrow’s Promise, Today’s Problems
Health expenditures in the U.S. are approximately 18 percent of GDP, up from around 5 percent in the 1960s. The reasons include a population that’s aging and living longer. But it also reflects a system with ever-rising costs that have gone mostly unchecked, and a system built around the providers of services, not around customer satisfaction.
Prep For Today & Tomorrow’s Hottest Jobs With Lifetime Access To This Leading Certification Training
Whizlabs offers online certification training on today's most in-demand skills, including cloud computing, project management, CCNA, and more.