The Chromium security team is devising a plan to explicitly and actively inform users that ‘HTTP’ connections provide no data security protections. Google’s grand vision is that some day, HTTPS will become so widespread and commonplace that secure connections can be unmarked in the way that HTTP connections are currently.

In a post on the Chromium Projects website, the Chrome Security Team proposed that user agents (UAs) gradually change their user interfaces and experiences in order that they display non-secure origins as “affirmatively non-secure.”

The change will likely result in new address bar indicators for the various browsers. The warning will be similar to existing HTTPS signifiers, effectively communicating the opposite message, namely that the user’s connection to a website, mail service or other software agent is not secure.

“We know that people do not generally perceive the absence of a warning sign,” the Google Chome Security Team wrote. “Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP.”

Ivan Ristic, the author of SSL Labs and Bulletproof SSL and TLS, told Threatpost in an email interview that Google’s decision here is a step in the right direction.

The current situation in which the default is that web sites are not encrypted and some sites opt-in to security is not secure and never can be

“The current situation in which the default is that web sites are not encrypted and some sites opt-in to security is not secure and never can be,” Ristic said. “We can obtain security only if we encrypted 100 percent of the traffic. This is because there are so many traps when deploying partial encryption, that it’s very difficult to do it properly. However, this long-term goal can’t be achieved quickly and at once. Instead, we need to get there via a series of small steps, breaking just a small part of the Internet at any one time.”

This change itself, he said, is not going to make us significantly more secure. However, he continued, it’s an important step in the overall transition to a secure Internet.

“Making this change is an important signal to those who are making deployment decisions and a clear message: HTTP is not secure,” Rostic said. “I am very happy that they are doing this.”

Google suggests that UA connections are classified into three states of transport layer security. Secure (having a valid HTTPS certificate); dubious (valid HTTPS but with mixed passive resources or a valid HTTPS with minor TLS errors); and non-secure (either broken HTTPS or just HTTP).

Google is encouraging vendors to take a phased approach to implementing these changes. For example, they say it may be a good idea to treat dubious and non-secure origins similarly in the medium-term before classifying HTTP connections in the same way they classify sites with known bad origins in the long-term.

“We all need data communication on the web to be secure (private, authenticated, untampered),” The Chromium Security Team wrote. “When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.”

Categories: Cryptography, Web Security

Comments (4)

  1. Brian m
    1

    You do not need everything encrypted, it’s a crazy notion that you do. Wish these zealots would stop and think about others and their needs. Not all of us have high speed connections and powerful devices, there is a perceptible delay when using encrypted sites. Yes something’s need to be really secure most things don’t! Be better to concentrate on those and let everything else go unecypted.

  2. henk
    2

    “ERROR: Please browser’s back button and retype the letters under the CAPTCHA image.”

    I did and my message was gone. I can’t read letters which are cut in half.

    Anyway, do static websites from average hobbyists also need to have the HTTPS secure connection?

    • Brian Donohue
      3

      Under current best practices, all website should have a secure ‘HTTPS’ connection, regardless of their content.

      I am looking into that CAPTCHA issue.

  3. Brian m
    4

    @Brian The thing is with best practices is it’s often someone’s opinion and often one with an agenda! A lot of web site traffic doesn’t need to be secure so why make it so? There is the argument that it would reduce the risk of phising etc, but there are ways around that for the bad guys anyway.

Comments are closed.