By 2017, HTTP Pages will trigger “Not secure” warning.
A big change is coming to the browser world next year: For the first time, a major browser will actively tell users that HTTP is not secure.
Last week Google Chrome’s security team announced that Chrome would explicitly warn about the insecurity of HTTP pages when a password or credit card field is present. On these pages, “Not Secure” will be displayed in the address bar to the left of the URL.
This will roll out with Chrome 56, which is planned for a January 2017 release. “Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections,” wrote Emily Schechter, an engineer on Chrome’s security team. Chrome wants to make that lack of security more obvious when pages are asking for particularly sensitive information.
Their team has often cited that “users do not perceive the lack of a ‘secure’ icon as a warning” as a key reason driving their design decisions.
This is one of the initial steps in a plan to flip the current paradigm of security indicators. Google’s ultimate goal is to display a non-secure warning for all HTTP connections and remove the green padlock currently displayed during secure connections. But that wont happen for some time.
Executing that plan involves more than just flipping a switch. The world’s websites need to be ready for it. Google is making that a possibility by simplifying security indicators, giving a SEO boost to SSL-protected pages, and developing web standards that make an HTTPS transition easier. Other companies are doing their part as well, with initiatives like free SSL certificates through Symantec’s Encryption Everywhere program and the non-profit CA Let’s Encrypt.
Their hard work is paying off. Use of SSL/TLS is higher than ever before, and growing quickly. Security researcher Scott Helme has been conducting regular security scans of the Alexa Top 1 Million websites, and “in the 6 months from February 2016 to August 2016 [he] saw a 46.43% increase in the use of HTTPS.” Metrics-tracking site BuiltWith.com has similarly seen that HTTPS use has doubled this year.
As HTTPS spreads, Google will move forward with their plan to mark HTTP as not secure in all situations and uses, but that will be happening one step at a time. “In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy,” continued Schechter.
In the most recent release of Chrome, Google also updated the visual indicators for connection security, based on research conducted by their security team. We broke down the science behind the new indicators last month.