The ‘Not Secure’ Web
After years of hinting it would do so, Google finally began marking HTTP pages that collect information as "Not Secure" in Chrome this week.
Don’t say they didn’t warn you.
Since at least 2016 Google engineers have been telling anyone who would listen (and trying desperately to reach those who wouldn’t listen) that the company’s Chrome browser would eventually be marking any plaintext HTTP page as “not secure.” Last fall, they started to get more specific, saying that by this summer, when Chrome 68 hit the streets, any site loaded without a secure connection would be clearly identified in the address bar, telling users that any data they exchanged with the site wasn’t private.
Eventually finally came this week, and there are now hundreds of thousands of popular sites around the world that bear that “not secure” tag. The list includes a number of major sites, such as ESPN, BBC, and Baidu, and plenty of government sites in various countries. Data compiled by security researcher Troy Hunt and Scott Helme’s new Why No HTTPS project shows that a staggering 100 of the 502 most-popular sites worldwide aren’t serving pages over HTTPS.
“Who are these people?! After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic?,” Hunt said in a post.
What Is Data Encryption? (Definition, Best Practices & More)
The release of Chrome 68 is an important milestone not just for Google and the Chrome team, but also for the larger internet community. Historically, browsers have shown users a positive indicator when they visit a site served over HTTPS, usually a green padlock or the word “Secure” in the address bar. That lets users know that not only is the site they’re visiting authentic, but any information they send to the site is encrypted and protected from eavesdropping. It’s a good visual cue.
But on sites that still use plaintext HTTP connections, browsers typically haven’t shown any indicator, either positive or negative. For example, if you visit ESPN in Safari, it simply shows the site name in the address bar, with no additional information about the security of the connection. A user without a clear understanding of web security, certificate authorities, and how HTTPS works could easily assume that connection is no different from one to Gmail, which is served over HTTPS. The addition of the clear, negative visual cue in the address bar on Chrome that HTTP connections are not secure sends a simple, unmistakable message to users.
“When you load a website over plain HTTP, your connection to the site is not encrypted. This means anyone on the network can look at any information going back and forth, or even modify the contents of the site before it gets to you. With HTTPS, your connection to the site is encrypted, so eavesdroppers are locked out, and information (like passwords or credit card info) will be private when sent to the site,” Emily Schechter, a Chrome security product manager at Google, said in a post Tuesday.
“Chrome’s ‘not secure’ warning helps you understand when the connection to the site you're on isn’t secure and, at the same time, motivates the site's owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress.”
So the Chrome team has done its part. Now it’s up to the site owners who are still lagging behind to take up the slack and ensure their visitors are protected.