Google Proposes Marking ‘HTTP’ as Insecure in 2015

HTTP warnings

Google proposes that browser vendors begin issuing address bar warnings to users that HTTP connections provide no data security protection.

The Chromium security team is devising a plan to explicitly and actively inform users that ‘HTTP’ connections provide no data security protections. Google’s grand vision is that some day, HTTPS will become so widespread and commonplace that secure connections can be unmarked in the way that HTTP connections are currently.

In a post on the Chromium Projects website, the Chrome Security Team proposed that user agents (UAs) gradually change their user interfaces and experiences in order that they display non-secure origins as “affirmatively non-secure.”

The change will likely result in new address bar indicators for the various browsers. The warning will be similar to existing HTTPS signifiers, effectively communicating the opposite message, namely that the user’s connection to a website, mail service or other software agent is not secure.

“We know that people do not generally perceive the absence of a warning sign,” the Google Chome Security Team wrote. “Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP.”

Ivan Ristic, the author of SSL Labs and Bulletproof SSL and TLS, told Threatpost in an email interview that Google’s decision here is a step in the right direction.

The current situation in which the default is that web sites are not encrypted and some sites opt-in to security is not secure and never can be

“The current situation in which the default is that web sites are not encrypted and some sites opt-in to security is not secure and never can be,” Ristic said. “We can obtain security only if we encrypted 100 percent of the traffic. This is because there are so many traps when deploying partial encryption, that it’s very difficult to do it properly. However, this long-term goal can’t be achieved quickly and at once. Instead, we need to get there via a series of small steps, breaking just a small part of the Internet at any one time.”

This change itself, he said, is not going to make us significantly more secure. However, he continued, it’s an important step in the overall transition to a secure Internet.

“Making this change is an important signal to those who are making deployment decisions and a clear message: HTTP is not secure,” Rostic said. “I am very happy that they are doing this.”

Google suggests that UA connections are classified into three states of transport layer security. Secure (having a valid HTTPS certificate); dubious (valid HTTPS but with mixed passive resources or a valid HTTPS with minor TLS errors); and non-secure (either broken HTTPS or just HTTP).

Google is encouraging vendors to take a phased approach to implementing these changes. For example, they say it may be a good idea to treat dubious and non-secure origins similarly in the medium-term before classifying HTTP connections in the same way they classify sites with known bad origins in the long-term.

“We all need data communication on the web to be secure (private, authenticated, untampered),” The Chromium Security Team wrote. “When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.”

Suggested articles