- Oct 23, 2012
- 12,527
Chrome 56, set for release in January 2017, will start marking HTTP pages that contain sensitive content such as passwords or payment forms as insecure, Google announced today.
Google's end goal is to mark all HTTP pages with a red icon specific to broken HTTPS connections, but the company plans to do this in several stages.
The first stage, as explained today by Emily Schechter from the Chrome Security Team, starts next January when the browser will start prepending the phrase "Not secure" before the page's URL (see image below).
"In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as 'not secure' in Incognito mode, where users may have higher expectations of privacy," Schechter explains. "Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."
Current Chrome versions don't use any kind of indicator to highlight that the user is navigating via an insecure HTTP connection that transfers data in cleartext.
Google's end goal is to mark all HTTP pages with a red icon specific to broken HTTPS connections, but the company plans to do this in several stages.
The first stage, as explained today by Emily Schechter from the Chrome Security Team, starts next January when the browser will start prepending the phrase "Not secure" before the page's URL (see image below).
"In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as 'not secure' in Incognito mode, where users may have higher expectations of privacy," Schechter explains. "Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."
Current Chrome versions don't use any kind of indicator to highlight that the user is navigating via an insecure HTTP connection that transfers data in cleartext.
Google: HTTPS usage has gone up
HTTP connections are considered insecure in the eyes of many security experts and companies, but there are a lot of users that don't pay special attention if the site they're navigating uses HTTP or HTTPS.
Google's groundbreaking decision comes to educate users about the dangers of HTTP connections that are susceptible to MitM attacks, among many things.
Data sent through HTTP connections, such as passwords or payment details, can be easily intercepted by a person on the same network.
Google has been pushing for sites to use HTTPS. Mozilla has been doing the same thing, through its Let's Encrypt project that provides free TSL certificates for website owners so they can implement HTTPS for their services.
Google says that according to Chrome telemetry, around half of the web pages loaded in its browser on a daily basis are via HTTPS.