Chrome 56 to Mark Some HTTP Pages as Insecure

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Chrome 56, set for release in January 2017, will start marking HTTP pages that contain sensitive content such as passwords or payment forms as insecure, Google announced today.

Google's end goal is to mark all HTTP pages with a red icon specific to broken HTTPS connections, but the company plans to do this in several stages.

The first stage, as explained today by Emily Schechter from the Chrome Security Team, starts next January when the browser will start prepending the phrase "Not secure" before the page's URL (see image below).

"In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as 'not secure' in Incognito mode, where users may have higher expectations of privacy," Schechter explains. "Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."

Current Chrome versions don't use any kind of indicator to highlight that the user is navigating via an insecure HTTP connection that transfers data in cleartext.

Google: HTTPS usage has gone up
HTTP connections are considered insecure in the eyes of many security experts and companies, but there are a lot of users that don't pay special attention if the site they're navigating uses HTTP or HTTPS.

Google's groundbreaking decision comes to educate users about the dangers of HTTP connections that are susceptible to MitM attacks, among many things.

Data sent through HTTP connections, such as passwords or payment details, can be easily intercepted by a person on the same network.

Google has been pushing for sites to use HTTPS. Mozilla has been doing the same thing, through its Let's Encrypt project that provides free TSL certificates for website owners so they can implement HTTPS for their services.

Google says that according to Chrome telemetry, around half of the web pages loaded in its browser on a daily basis are via HTTPS.
 
Y

yigido

wZUsRiCYxOJREstx8-OUXejHtKww8cEse5S17TYc3MRGR7ymFjRFP3Ti-78_mWBWuc6rNxP1FFszfPCbtpbckV3hdjt4LpPX-INun5B_9EuNLShSkijqWS8CvkWBjYRUrO7KPSy0


It is great! Writing "Not Secure" before the domain makes people feel "they are not safe while viewing that site"..so this behavior of Chrome will force that websites to use HTTPS.
 
Last edited by a moderator:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
A great step forward I agree Sheep, but on pages like the ones you, I , and others have bookmarked,
be honest how often do you look up at that address bar unless your typing or pasting in it ?
I think the average user will be oblivious to this till Chrome starts blocking them outright lol :)
 

ElectricSheep

Level 14
Verified
Top Poster
Well-known
Aug 31, 2014
655
A great step forward I agree Sheep, but on pages like the ones you, I , and others have bookmarked,
be honest how often do you look up at that address bar unless your typing or pasting in it ?
I think the average user will be oblivious to this till Chrome starts blocking them outright lol :)

Very good point indeed, ghostly one:) At least we, because we have more awareness, probably check the bar a little more often than the average user, and I'm in the habit of checking what comes up in the bottom left when I hover over hyperlinks.:)

But yes, the average user probably just clicks clicks and clicks through without a thought for what they're doing:eek::eek:
 
Last edited:

NekoHr

Level 3
Verified
Well-known
Feb 5, 2016
139
Very good point indeed, ghostly one:) At least we, because we have more awareness, probably check the bar a little more often than the average user, and I'm in the habit of checking what comes up in the bottom left when I hover over hyperlinks.:)

But yes, the average user probably just clicks clicks and clicks through without a thought for what they're doing:eek::eek:

On the other hand, if all HTTP is marked Not secure than "regular" users will assume all HTTPS (not Not secure) is secure and just click through.

Setup phishing site with HTTPS and profit cause it is secure. ;)
 
  • Like
Reactions: Logethica

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top