3 min read

Unencrypted website? Expect to start being shamed by Google Chrome from January


September 09, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Unencrypted website? Expect to start being shamed by Google Chrome from January

Too many websites are being lax with the security of your passwords and credit card information, and Google says enough is enough.

The problem is this. When you visit a website that asks you to enter your password or payment card details you want to feel confident not only that the website itself is taking care with how it might store that information, but also whether the information is being sent securely from your computer or mobile phone’s web browser to the site itself.

Because if that information isn’t being sent in a secure fashion between your device and the website, a malicious hacker could potentially intercept the data as it is being sent and grab your login password. Perhaps the most well known risk is if you happen to be using a public Wi-Fi hotspot and you can never be quite sure if that guy sitting in the corner is trying to sniff other people’s unencrypted data out of the air.

The good news is that more and more websites have jumped on board the HTTPS web encryption bandwagon, and users will have noticed the green padlock appearing in their browser’s address bar to indicate a secure, encrypted connection.

If you don’t see padlock icon in your address bar then you should not enter any type of sensitive information (passwords, bank account information, social security numbers, credit card numbers etc), because of the risk of eavesdropping.

But wouldn’t it be great if even more sites adopted HTTPS to properly protect our information?

Google certainly thinks so, and has announced that from January 2017 its Chrome browser will be marking “HTTP sites that transmit passwords or credit cards as non-secure”.

Source: Google

The problem up until now is that Chrome hasn’t been explicitly pointing out that you’re on an HTTP webpage:

Chrome currently indicates HTTP connections with a neutral indicator. This doesn”t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.

Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently.

In the future, Google plans to extend its HTTP warnings to cover more scenarios – its ultimate aim to “label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

Of course if Google were to take that step straight away users would be seeing a *lot* of warnings. It’s a good thing that they’re not rushing to extend the HTTP warning quite so far just yet, as you can imagine how many users would react. That would be a big mistake on Google’s part.

But I wonder if Google is making another mistake in its approach here.

In its warning it says “Not secure”. That’s not really the right terminology. What they really mean is “Not encrypted.”

After all, it’s perfectly possible to have a website that is using HTTPS web encryption and providing security correctly at that level, but is lacking security in other ways.

It would be a mistake, for instance, to find ourselves back in the bad old days when some users believed that the mere existence of a padlock in the browser bar meant that the site could be trusted and considered legitimate, when it was perfectly possible for criminals to set up a website with HTTPS if they wished or compromise a legitimate website that was using web encryption properly.

Maybe I’m shouting into the wind, as educating the public about these semantic differences is surely an impossible task. But let’s not hope that users make the mistake of thing that sites which don’t have the “Not secure” warning are magically safe to use.

That grumble aside, I am in favour of anything which delivers a more encrypted web to the world. Maybe this change in Chrome will make more websites wake up to the importance of switching to HTTPS, especially on those webpages where they asking for sensitive information.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like