Google details how it will overturn encryption signals in Chrome
- 22 May, 2018 06:45
Google has further fleshed out plans to upend the historical approach browsers have taken to warn users of insecure websites, spelling out more gradual steps the company will take with Chrome this year.
Starting in September, Google will stop marking plain-vanilla HTTP sites - those not secured with a digital certificate, and which don't encrypt traffic between browser and site servers - as secure in Chrome's address bar. The following month, Chrome will tag HTTP pages with a red "Not Secure" marker when users enter any kind of data.
Eventually, Google will have Chrome label every HTTP website as, in its words, "affirmatively non-secure." By doing so, Chrome will have completed a 180-degree turn from browsers' original signage - marking secure HTTPS sites, usually with a padlock icon of some shade, to indicate encryption and a digital certificate - to labeling only those pages that are insecure.
"Users should expect that the web is safe by default," wrote Emily Schechter, a product manager on the Chrome security team, in a May 17 post to a company blog. "Since we'll soon start marking all HTTP pages as 'not secure,' we'll step towards removing Chrome's positive security indicators so that the default unmarked state is secure."
In July, Chrome 68 - slated to release the week of July 22-28 - will mark all HTTP sites by planting 'not secure' in the address bar. Google had previously announced that stage of its signage changes.
With the release of Chrome 69 during the week of Sept. 2-8, the browser will brand secure pages - HTTPS sites assigned a valid digital certificate - with a neutral marker, instead of one that affirmatively notes a secure page. Specifically, Chrome 69 will drop the green "Secure" text from the address bar for HTTPS sites and show only the small padlock icon.
Then the week of Oct. 14-20, Chrome 70 will tap any HTTP site with an insecure icon - a small red triangle - and the text "Not secure" in the address bar as soon as the user interacts with any input field, such as a password field or one that requires credit card information.
After Chrome 70, Google's calendar has no firm dates. "There is no target date for the final state yet, but we intend to mark all HTTP pages as affirmatively non-secure in the long term (the same as other non-secure pages, like pages with broken HTTPS)," stated the overall plan to make secure sites the default in the browser's signage.
Google's campaign to flip the signals began in 2014 and has met several milestones since then. In January 2017, for example, Chrome 56 started to shame sites that didn't encrypt password or credit card fields with the "Not secure" label on pertinent pages. In February 2018, Google announced the changes to Chrome 68, which in two months will mark all HTTP sites with the same negative notification.
In parallel with the four-year-old secure-goes-unmarked project, Google has been pushing all websites to adopt HTTPS, not just those that, say, indulged in e-commerce, as was the case before. For instance, Google - along with Mozilla and others - has sponsored the Let's Encrypt project, which provides digital certificates at no cost.
But it has been Chrome's quickly-growing share that has arguably been the most effective ambassador for HTTPS. In April, analytics vendor Net Applications pegged Chrome's user share at nearly 62%, making it the dominant browser. That position has given Chrome enormous influence, which Google has not hesitated to apply as it sees fit. No site wants to give all those users the impression that it's insecure and not to be visited. Nor surprisingly, then, site owners and operators have fallen in line with Google's demand that the web go all-in on HTTPS.