Google will name and shame insecure websites

Websites without HTTPS will be marked as "non-secure" from 2017

Google Chrome will warn web users next year that sites are "not secure" if the do not use HTTPS. 

Google is giving websites that transmit passwords or credit card details until 2017 to make the move to the secure protocol, which encrypts communications between your browser and internet sites. 

"Beginning in January 2017 (Chrome 56), we'll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure," noted Emily Schechter of the Chrome security team, in a blog post

Advertisement - Article continues below

Google will show the warning to users with a bit of text ahead of the URL in the address bar of the Chrome browser.

At the moment, Chrome highlights that a connection is HTTP and not private via an icon that users have to click to see a warning. If you're using Google's browser, click the icon before the URL in the address bar, and it will tell you that "your connection to this site is not private". 

In the longer term, that will show the words "not secure" and let users click through for more information. 

However, Google admitted that users ignore security icons and warnings, becoming "blind to warnings that occur too frequently". 

Advertisement
Advertisement - Article continues below

Google feels the risk of warning overload is worth it. "When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you," noted Schechter. 

Advertisement - Article continues below

Security analyst Graham Cluley said not only could the increased warnings cause trouble, but so could the terminology. 

"In its warning it says "Not secure'," he said in a blog post. "That's not really the right terminology. What they really mean is 'Not encrypted'." 

The use of HTTPS does not mean the site is secure in other ways, he noted. "It would be a mistake, for instance, to find ourselves back in the bad old days when some users believed that the mere existence of a padlock in the browser bar meant that the site could be trusted and considered legitimate, when it was perfectly possible for criminals to set up a website with HTTPS if they wished or compromise a legitimate website that was using web encryption properly," he added. 

Because of the risk of users ignoring the warnings, Google intends to roll them out slowly and carefully. The first warnings, in January, will only label as insecure pages using HTTP that have credit card or password fields. 

Advertisement - Article continues below

Next, it will extend HTTP warnings to any page, regardless of content, that is opened in Incognito mode, "where users may have higher expectations of privacy". 

Chrome security team member Schechter added: "Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."

That means websites - including this one, but also Google's own Chromium blog - will have time to upgrade to HTTPS to avoid their visitors being shown a message that their pages are insecure. 

She added that Google's traffic stats show half of Chrome desktop page loads are already served over HTTPS.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020