Starting in January of 2017, Google’s Chrome browser will start flagging some websites that don’t use web encryption as “Not Secure”—the first step in Google’s eventual plan to shame all sites that don’t use encryption.
In the last couple of years, the web has seen a tremendous rise in the number of websites that use encryption, which is displayed by that little green lock next to the site’s address and an extra “s” at the end of HTTP. The increase in the use of HTTPS web encryption has been part of a collective effort to improve security and privacy on the web, often under the banner of the campaign “Encrypt All The Things.”
At the beginning of this year, Google hinted—without announcing it officially—that it was going to flag all unencrypted websites as insecure, as Motherboard reported. At the time, Parisa Tabriz, who manages Google’s security engineering team, said that Google’s intention was to “call out” websites that still were on HTTP as “unsafe.”
On Thursday, Google officially announced its anti-HTTP plan. The company isn’t going to shame all unencrypted websites all at once, but start only with HTTP sites that ask users to input passwords or credit cards. These sites will be flagged as “Not secure” in the Chrome address bar.
How Chrome will flag HTTP pages that ask users for passwords or credit card numbers. (Image: Google)
Then, in the future—Google is not saying exactly when yet—Chrome will flag all sites that don’t use TLS encryption as “Not secure” and also display a red triangle indicator, which Chrome already uses when users go to a dangerous website.
How Chrome will flag all HTTP pages in the future. (Image: Google)
“We definitely do plan to label all HTTP pages as non-secure eventually,” Emily Schechter, the Chrome Security product manager, told Motherboard, explaining that the company didn’t want to all of a sudden flood users with warnings. “We really wanted to be careful about it and we wanted to get it right.”
Schechter explained that Google’s main worry is that displaying alerts for all HTTP sites right away would lead users to see too many warnings and, eventually, ignore them. In other words, Google wants to educate users about the risks of unencrypted websites striking the right balance and without leading them to what’s called as “warning fatigue,” a term that indicates when users get so used to warnings that they stop paying attention.
“We definitely do plan to label all HTTP pages as non-secure eventually.”
Google also wanted to announce the change before it was implemented to give webmasters time to migrate to HTTPS and not get caught by surprise, Schechter said.
While it seems like a small change, HTTPS provides multiple protections for users. Not only does it ensure that hackers and spies can’t easily intercept passwords and other sensitive data travelling on the internet, it also ensures that the site you’re looking at really is the site you want, and not an imposter. Without HTTPS, it’s trivial for a hacker sitting in the same public WiFi you’re using, or government spies, to spy on you and interfere with the sites you go to trick you into giving up sensitive information.
With this move, Google is pushing for even more HTTPS adoption. And at this point, an HTTPS-only future seems inevitable. Google reported that nowadays, more than half of the sites visited by Chrome users are encrypted already.