Chrome to Mark All HTTP Sites "Not Secure" in July



Google announced this week it will flag all HTTP websites "Not Secure" later this summer in hopes of fostering a more secure web.

Google announced this week it will mark all unencrypted HTTP websites as "Not Secure" in its Chrome browser this summer.

Emily Schechter, Chrome’s Security Product Manager, announced plans around the move - long expected - in a blog post on Thursday.

Beginning in July, with Chrome 68, Chrome users who navigate to a HTTP website will see a notification in the URL bar the site isn't secure. The company began displaying the warning on HTTP sites that contain forms, like text input fields, last October, with Chrome 62.

Google rolls out browser-wide changes like this slowly, hence the six-month warning. The company announced it would be marking HTTP sites with text input fields last April but sent site owners reminder emails about the change in August.

Google hopes the move will drive site owners who haven’t yet to embrace encryption by default.

Mozilla will eventually follow in Google’s footsteps. Jonathan Kingston, a security developer for Firefox, told a user on Twitter Thursday the company is experimenting with marking pages “Not Secure” in Firefox and that he hopes Mozilla can push it to all users at some point in 2018.

The move to get the web 100 percent encrypted has been an uphill but successful battle. Let's Encrypt, which keeps track of the number of web pages loaded by Firefox over HTTPS per the browser's telemetry, said 50 percent of page loads used HTTPS around this time last year. That number's up to almost 70 percent today, a year later.

Google and Let's Encrypt haven't been fighting the good fight alone. The Tor Project and the Electronic Frontier Foundation started early by releasing the beta version of HTTPS Everywhere, a browser extension that rewrites requests on some HTTP sites, way back in 2010. The 1.0 version arrived the next summer.

The White House’s Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services in 2015. The Federal Trade Commission and Wikipedia switched to HTTPS by default that same year. WordPress meanwhile turned on HTTPS by default for 600,000 sites in 2016.

In addition to providing the HTTPS timeline for Chrome on Thursday, Schechter also took the opportunity to say that Google has improved its Lighthouse tool. Lighthouse, an open source app, helps developers run audits on webpages. A recent update can help users find elements that may load over HTTP and inform them whether or not they can be upgraded to HTTPS.

Chris Brook

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with nearly a decade of experience writing about information security, hackers, and privacy. Prior to joining Digital Guardian he helped launch Threatpost.