Technology / Google Chrome will start warning users about non-HTTPS sites from 2017
Google Chrome will start warning users about non-HTTPS sites from 2017
9 September 2016 |
Google Chrome will start warning users about sites that do not use encrypted connections from January.
From the start of 2017, sites that do not use HTTPS risk being flagged as "not secure" by the browser's security features, the web giant has announced.
Initially, this will only apply to sites that transmit passwords or credit card details over HTTP, but Google will eventually mark all HTTP sites as non-secure.
“Chrome currently indicates HTTP connections with a neutral indicator,” it said in a blog post. “This doesn’t reflect the true lack of security for HTTP connections.
“When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you…
“Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as ‘not secure’, given their particularly sensitive nature.
“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
The warning will initially take the form of the grey words “not secure” in the browser’s address bar, but will eventually be red with a warning triangle.
The move has been praised by cyber security experts.
“Google is taking a great step toward improving security on the web by alerting users to websites that are using weak encryption that endangers security and privacy,” said Venafi chief security strategist Kevin Bocek. “It remains to be seen if users will pay attention.
“Unfortunately, many organisations are struggling to keep up with Google’s efforts to increase authentication, confidence and privacy.
“Many organisations still blindly trust all encrypted traffic, even though we know that cyber criminals have been able to subvert encryption in a variety of cyber attacks.”
For more on the changes, see the Google security blog.