Apple Safari testing “Not Secure” warning for HTTP websites
Safari will follow the footsteps of Google Chrome by adding a more explicit HTTP warning
HTTP is dead. Google has largely led that charge, given its Chrome browser’s ubiquity and the company’s ability to compel certain behaviors given its size and clout. Now, one of the other big names in the tech industry, Apple, is potentially following Google’s lead by testing a “Not Secure” HTTP warning for its Safari browser.
While organizations like Google, Cloudflare and Mozilla have visibly been at the forefront of the initiative to encrypt the internet, companies like Apple and Microsoft tend to play things far closer to the vest. For instance, whereas Chrome and Mozilla regularly have blog posts detailing changes they’re thinking about making and why they do things, Apple tends to be a little less transparent.
When Apple released Safari Technology Preview 70, which is an advance browser similar to Chrome Canary or Firefox Nightly, the addition of its HTTP warning was given just a single line in the release notes:
Added a warning in the Smart Search field when loading non-secure pages
So, today we’re going to talk a little bit about Safari HTTP warning and what it means for internet users moving forward.
Let’s hash it out.
Testing the Safari HTTP Warning
Currently, Apple’s Not Secure warning has only been added to its Technology Preview browser, which Apple uses to test new features. And in true Apple fashion, the company has yet to comment on if and when the change could arrive on the stable version of its Safari browser.
Still, this is significant because Safari does have a decent market share and it’s now the second major browser to actively penalize HTTP websites.
Google has been testing ways to deprecate HTTP for years. Back in 2014 it tried to incentivize migrating to HTTPS by announcing it would be a search ranging signal. Then it started restricting features for HTTP sites. It briefly changed its UI to say “Secure” for EVERY HTTPS site. And then over the Summer it finally made good on its promise to add a “Not Secure” warning to its address bar when visiting an HTTP site.
Now Apple appears to be following. Safari’s UI is a lot different from Chrome’s so obviously the warning looks a little different. Apple also elides URLs differently, so I think the effect ends up being a little more impactful.
Again, no word yet on when the change will hit the stable version, but this will apply even more pressure to websites that aren’t offering secure connections.
Why is HTTP bad?
For those that keep abreast of the industry, this is the point you can stop reading. As for everyone else, HTTP has been at the heart of the internet for decades, but it was developed when the internet was a lot different. At that point, sensitive data wasn’t being transferred, the internet was for the free exchange of information.
With the commercialization of the internet, the need for more secure connections between clients and servers became evident, so SSL/TLS was layered over HTTP and HTTPS was born. The internet is not built to be a straight shot to your destination, it’s not just your computer connecting to the website you’re visiting directly. Instead, your connection gets routed through various points all across the country or even the world before finally arriving at its destination.
With an HTTP connect, all of the data being between client and server is sent in plaintext – easily readable by a third party listening in on any of the dozens of devices your connection will route through. HTTPS prevents this by encrypting the data so that it’s unreadable to anyone but the intended party.
You can understand why companies like Google and Apple would want to make this the default. And that’s the plan, to make HTTPS so ubiquitous it becomes an afterthought. Just a standard expectation.
And each step like adding a Safari HTTP warning help move that initiative along.
As always, leave any comments or questions below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown