Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

Google Chrome will begin marking some HTTP sites as non-secure in 2017.

Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure.

Google said today the browser will begin explicitly labeling HTTP connections that feature either a password or credit card form as non-secure. The company said the plan is its first step toward marking all HTTP sites as non-secure, though it didn’t provide a timetable for the undertaking.

not secure

Emily Schechter, a member of Chrome’s Security Team, alerted users of the planned move in a post to Google’s Security blog.

The company said the move will improve on the browser’s current iteration of a warning, which indicates HTTP connections with a neutral indicator. Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.

“This doesn’t reflect the true lack of security for HTTP connections,” Schechter wrote of the neutral indicator. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.”

Schechter notes that an academic paper released earlier this summer by Google’s Adrienne Porter Felt and Robert Reeder, among other researchers, spurred the move.

That paper, “Rethinking Connection Security Indicators,” found that most users understood Chrome’s green lock but were unclear what Chrome’s neutral page icon meant. In response, the researchers proposed three symbols appear in Chrome’s URL bar: A green lock for secure HTTPS sites, a gray “i” for insecure HTTP sites, and a red triangle for not secure, invalid HTTPS sites.

While the paper said Google was planning to adopt the researcher’s findings, it wasn’t clear when they’d find their way into Chrome until now.

Many of the researchers who wrote the paper have spent years evaluating user experiences related to online security and privacy. Last year Felt and Reeder, along with Google’s Alex Ainslie, Sunny Consolvo, and Helen Harris released a similar paper that proposed and evaluated a new SSL warning for Chrome 37. The researchers said a solid SSL warning should empower users to make an informed and intelligent decision, or failing that, guide them away from a potentially dangerous site and back toward safety.

Google will extend their warnings with subsequent releases. One example Schechter gives is labeling HTTP pages as “not secure” in the browser’s Incognito mode, where users often assume a higher level of privacy.

Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.

The change is expected to be reflected in January; roughly around the time Google releases Chrome 56. Google released the most recent version of the browser, Chrome 53, earlier this month.

Earlier this week members from Google’s Safe Browsing team updated information in its Search Console to better help webmasters fix security issues. The information breaks down how exactly Google defines malware, deceptive pages, and harmful downloads, and unwanted downloads so users can prevent their sites from triggering harmful content warnings.

Suggested articles

Discussion

  • Jennifer M on

    Just because a site doesn't use HTTP doesn't make it "dangerous." There's a cost involved with getting a site certificate and if there is no credit card information involved, a site shouldn't have to conform.
    • Jarrod, Certified Ethical Hacker, CISSP on

      Umm...well, first of all you must mean "Just because a site doesn't use HTTPS" (not HTTP). Second of all, any page that offers a user to create an account with a login should be secured with HTTPS; credit card info or not. By your logic, Facebook doesn't need HTTPS? Give me a break.
    • Scott Hendison on

      I agree with you, but regardless, that's what Google is doing, so either play along or have all you traffic get intercepted by a Google warning
  • Randal on

    "labeling HTTP connections that feature either a password or credit card form as non-secure" I think this is a good idea to help prevent inadvertently exposing your login credentials or credit card information.
  • George_Spelvin on

    This is a great step forward. I'd also think Chrome should intervene on non-secure pages and say "Hey, the page you're entering information into is not secure and could be read by anybody. Do you really want to submit this info?" While most readers of a page like this would find this ridiculous, most consumers never look up at the address bar and will never see a warning unless I, their tech, point it out to them.
  • farewelldave on

    I'm glad malware and phishing authors don't know anything about using HTTPS.
  • LC in Texas on

    what the hell - I just want to read my e-mail and I'm locked out! What am I paying for? I have more security then the Government and just as screwed up. Passwords-passwords & more passwords now what?I am an adult and do not put information on the internet but the websites do & require it and fail to protect it!
  • Keith Williams on

    The implication is that if a site uses HTTPS it's secure and without TLS it isn't. You should realise that this is not true. Supporting HTTPS is no guarantee of security, it just makes the problem of interception more tricky. Informing a user that a site is secure solely on whether it supports HTTPS is an easy win for reporting, but it's a bad indicator.
  • Thomas Campbell-Adams on

    lol, reading comments on articles like this are always fun. I never thought in a million years there would be any web devs who would disagree with this move, but here we are. Pro-tip: If you have a problem with Google marking your HTTP page as insecure, there's a simple way to fix it. :)
  • Kevin on

    A site using HTTPS changes nothing for malware or phising sites. Any person, any website, can buy an SSL. Its not like the SSL or HTTPS is cross-checked or confirmed for authenticity when a website buys and implements one.
  • GMS on

    Most major sites, with the exclusion of financial institutions, now show the Not Secure symbol. Macy's, Target, BevMO...to name a few, how then, can I make purchases on line?
  • Freddyb on

    You can still enter the site by clicking on ADVANCED, then on the next page clicking the pages underlined URL which says "PROCEED TO SITE (UNSAFE)". This will allow you to proceed to the site despite being deemed unsafe.
  • Sarah on

    I don't think you understand what needs to be secure or not. When you add things to a cart then go to check out, THAT part of the site has the ssl or https. People complaining about this need to get educated on what information being transmitted across the internet is susceptible to. If you don't want to learn, just know the people who do understand how this works are trying to help you.
  • bgx on

    That's a bummer for people with small informational web sites or blogs using their own domain. Both web hosting and a domain name are relatively cheap. Now you have to add the cost for a certificate to it. Not sure if this is warranted for websites that don't collect any information from the user...
  • Jaye on

    I've had Google tell me a site I've been using for a long time wasn't secure. Two days later I went back and it was stated as secure by Google. A week later it was back to not secure. Really?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.