Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure.
Google said today the browser will begin explicitly labeling HTTP connections that feature either a password or credit card form as non-secure. The company said the plan is its first step toward marking all HTTP sites as non-secure, though it didn’t provide a timetable for the undertaking.
Emily Schechter, a member of Chrome’s Security Team, alerted users of the planned move in a post to Google’s Security blog.
The company said the move will improve on the browser’s current iteration of a warning, which indicates HTTP connections with a neutral indicator. Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.
“This doesn’t reflect the true lack of security for HTTP connections,” Schechter wrote of the neutral indicator. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.”
Schechter notes that an academic paper released earlier this summer by Google’s Adrienne Porter Felt and Robert Reeder, among other researchers, spurred the move.
That paper, “Rethinking Connection Security Indicators,” found that most users understood Chrome’s green lock but were unclear what Chrome’s neutral page icon meant. In response, the researchers proposed three symbols appear in Chrome’s URL bar: A green lock for secure HTTPS sites, a gray “i” for insecure HTTP sites, and a red triangle for not secure, invalid HTTPS sites.
While the paper said Google was planning to adopt the researcher’s findings, it wasn’t clear when they’d find their way into Chrome until now.
Many of the researchers who wrote the paper have spent years evaluating user experiences related to online security and privacy. Last year Felt and Reeder, along with Google’s Alex Ainslie, Sunny Consolvo, and Helen Harris released a similar paper that proposed and evaluated a new SSL warning for Chrome 37. The researchers said a solid SSL warning should empower users to make an informed and intelligent decision, or failing that, guide them away from a potentially dangerous site and back toward safety.
Adrienne Porter Felt ✔ @__apf__
Chrome will start marking some HTTP sites as non-secure beginning in January. Get ready! https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html … pic.twitter.com/tBzz0E9lWh
Adrienne Porter Felt ✔ @__apf__
Pushing the internet forward is hard work. Greetz to @fugueish @emschec @lgarron @estark37 @alexainslie @maxwkr et al. Excited for Jan!
8:29 AM – 8 Sep 2016
4 4 Retweets 20 20 likes
Google will extend their warnings with subsequent releases. One example Schechter gives is labeling HTTP pages as “not secure” in the browser’s Incognito mode, where users often assume a higher level of privacy.
Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.
The change is expected to be reflected in January; roughly around the time Google releases Chrome 56. Google released the most recent version of the browser, Chrome 53, earlier this month.
Earlier this week members from Google’s Safe Browsing team updated information in its Search Console to better help webmasters fix security issues. The information breaks down how exactly Google defines malware, deceptive pages, and harmful downloads, and unwanted downloads so users can prevent their sites from triggering harmful content warnings.