Starting tomorrow, Google Chrome will begin warning users who visit unencrypted websites that their traffic is flowing to an insecure location. It’s a transition we’ve covered several times already this year, and while it might seem to be a minor shift, getting news out to folks so they aren’t freaked out by the switch from “secure” messaging to “insecure” messaging is important — especially since some sites that don’t currently deploy HTTPS will undoubtedly need some time to finish doing so.
Today, browsers notify users that sites are secure with a green lock logo. After tomorrow, users will instead be told that sites are insecure rather than secure, and notified with various messaging from the browser vendors. The change is shown below:
Security researcher Troy Hunt is working on a site called WhyNohttps.com, which he intends to launch this week. It plans to gather a list of the largest websites that aren’t supporting HTTPS yet in the hopes of shaming them into adopting a more secure standard. CloudFlare has noted that despite more widespread adoption in recent months, a majority of the Top 1M most popular sites online are still insecure and do not offer HTTPS by default.
Friends, I’m after some support: @Scott_Helme and I are doing a little project with a site called https://t.co/Y4GlsInvu2 which will coincide with the Chrome 68 launch next week. It’ll list the world’s largest websites that don’t do HTTPS by default.
— Troy Hunt (@troyhunt) July 20, 2018
For those of you who aren’t aware, the “https” extension of HTTP means that a website is secured using Transport Layer Security, or TLS encryption. HTTPS protects against man-in-the-middle attacks, eavesdropping, and tampering with website data. It’s the functionality that Lenovo broke with its Superfish scandal several years ago, and is generally considered foundational to the entire question of browser security. And while not every website literally needs HTTPS, the availability of free encryption certificates from groups like LetsEncrypt (a non-profit founded by the EFF) makes it easier to adopt the security standard without paying hefty amounts of cash to do so.
Chrome is the first browser to take this step with HTTPS, but it’s expected that MS and Mozilla will both follow suit. Google’s web page on avoiding the “Not Secure” ranking in Chrome is available here. While somewhat dated (a few of the links on the page are from 2016), it appears to offer some useful information on avoiding Not Secure ratings, including the need to use native HTTPS rather than embedding an HTTPS login frame on an HTTP page. As the site says: “Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.”