Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure.

Google said today the browser will begin explicitly labeling HTTP connections that feature either a password or credit card form as non-secure. The company said the plan is its first step toward marking all HTTP sites as non-secure, though it didn’t provide a timetable for the undertaking.

not secure

Emily Schechter, a member of Chrome’s Security Team, alerted users of the planned move in a post to Google’s Security blog.

The company said the move will improve on the browser’s current iteration of a warning, which indicates HTTP connections with a neutral indicator. Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.

“This doesn’t reflect the true lack of security for HTTP connections,” Schechter wrote of the neutral indicator. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.”

Schechter notes that an academic paper released earlier this summer by Google’s Adrienne Porter Felt and Robert Reeder, among other researchers, spurred the move.

That paper, “Rethinking Connection Security Indicators,” found that most users understood Chrome’s green lock but were unclear what Chrome’s neutral page icon meant. In response, the researchers proposed three symbols appear in Chrome’s URL bar: A green lock for secure HTTPS sites, a gray “i” for insecure HTTP sites, and a red triangle for not secure, invalid HTTPS sites.

While the paper said Google was planning to adopt the researcher’s findings, it wasn’t clear when they’d find their way into Chrome until now.

Many of the researchers who wrote the paper have spent years evaluating user experiences related to online security and privacy. Last year Felt and Reeder, along with Google’s Alex Ainslie, Sunny Consolvo, and Helen Harris released a similar paper that proposed and evaluated a new SSL warning for Chrome 37. The researchers said a solid SSL warning should empower users to make an informed and intelligent decision, or failing that, guide them away from a potentially dangerous site and back toward safety.

Google will extend their warnings with subsequent releases. One example Schechter gives is labeling HTTP pages as “not secure” in the browser’s Incognito mode, where users often assume a higher level of privacy.

Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.

The change is expected to be reflected in January; roughly around the time Google releases Chrome 56. Google released the most recent version of the browser, Chrome 53, earlier this month.

Earlier this week members from Google’s Safe Browsing team updated information in its Search Console to better help webmasters fix security issues. The information breaks down how exactly Google defines malware, deceptive pages, and harmful downloads, and unwanted downloads so users can prevent their sites from triggering harmful content warnings.

Categories: Web Security

Comments (15)

  1. Jennifer M
    1

    Just because a site doesn’t use HTTP doesn’t make it “dangerous.” There’s a cost involved with getting a site certificate and if there is no credit card information involved, a site shouldn’t have to conform.

    • Jarrod, Certified Ethical Hacker, CISSP
      2

      Umm…well, first of all you must mean “Just because a site doesn’t use HTTPS” (not HTTP). Second of all, any page that offers a user to create an account with a login should be secured with HTTPS; credit card info or not. By your logic, Facebook doesn’t need HTTPS? Give me a break.

    • Scott Hendison
      3

      I agree with you, but regardless, that’s what Google is doing, so either play along or have all you traffic get intercepted by a Google warning

  2. Randal
    4

    “labeling HTTP connections that feature either a password or credit card form as non-secure”

    I think this is a good idea to help prevent inadvertently exposing your login credentials or credit card information.

  3. George_Spelvin
    5

    This is a great step forward. I’d also think Chrome should intervene on non-secure pages and say “Hey, the page you’re entering information into is not secure and could be read by anybody. Do you really want to submit this info?” While most readers of a page like this would find this ridiculous, most consumers never look up at the address bar and will never see a warning unless I, their tech, point it out to them.

  4. LC in Texas
    7

    what the hell – I just want to read my e-mail and I’m locked out! What am I paying for?

    I have more security then the Government and just as screwed up. Passwords-passwords & more passwords now what?I am an adult and do not put information on the internet but the websites do & require it and fail to protect it!

  5. Keith Williams
    8

    The implication is that if a site uses HTTPS it’s secure and without TLS it isn’t. You should realise that this is not true.
    Supporting HTTPS is no guarantee of security, it just makes the problem of interception more tricky.
    Informing a user that a site is secure solely on whether it supports HTTPS is an easy win for reporting, but it’s a bad indicator.

  6. Thomas Campbell-Adams
    9

    lol, reading comments on articles like this are always fun. I never thought in a million years there would be any web devs who would disagree with this move, but here we are.

    Pro-tip: If you have a problem with Google marking your HTTP page as insecure, there’s a simple way to fix it. 🙂

  7. Kevin
    10

    A site using HTTPS changes nothing for malware or phising sites. Any person, any website, can buy an SSL. Its not like the SSL or HTTPS is cross-checked or confirmed for authenticity when a website buys and implements one.

  8. GMS
    11

    Most major sites, with the exclusion of financial institutions, now show the Not Secure symbol.
    Macy’s, Target, BevMO…to name a few, how then, can I make purchases on line?

  9. Freddyb
    12

    You can still enter the site by clicking on ADVANCED, then on the next page clicking the pages underlined URL which says “PROCEED TO SITE (UNSAFE)”. This will allow you to proceed to the site despite being deemed unsafe.

  10. Sarah
    13

    I don’t think you understand what needs to be secure or not. When you add things to a cart then go to check out, THAT part of the site has the ssl or https. People complaining about this need to get educated on what information being transmitted across the internet is susceptible to. If you don’t want to learn, just know the people who do understand how this works are trying to help you.

  11. bgx
    14

    That’s a bummer for people with small informational web sites or blogs using their own domain. Both web hosting and a domain name are relatively cheap. Now you have to add the cost for a certificate to it. Not sure if this is warranted for websites that don’t collect any information from the user…

  12. Jaye
    15

    I’ve had Google tell me a site I’ve been using for a long time wasn’t secure. Two days later I went back and it was stated as secure by Google. A week later it was back to not secure. Really?

Comments are closed.