Google tightens noose on HTTP: Chrome to stick ‘Not secure’ on pages with search fields
On October 27, a new version of the Chrome browser will be introduced. Google is giving web developers six months to prepare for the next phase of its plan to mark all HTTP pages as ‘Not secure’.
October will mark stage two of Google’s plan to label all HTTP pages as ‘Not secure’ in Chrome.
In January, Google started to label some pages in HTTP as non-secure with the release of Chrome 56. This phase affected pages that transmit sensitive information such as login and payment-card data on the web.
The not-secure label indicated that data is being exchanged on an unencrypted connection. HTTPS, the secure version of HTTP, offers better protection against someone on the same network viewing or modifying the traffic, in what is known as a man-in-the-middle attack.
Beginning in October, Chrome will label HTTP pages as insecure if users can input any data. Google highlights this will apply to any page with a search box.
“Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the ‘Not secure’ warning when users type data into HTTP sites,” said Emily Schechter, a Chrome Security Team product manager.
The expanded warnings for HTTP pages will are likely to add pressure on site owners to acquire the necessary SSL/TLS certificates and setup HTTPS on their web servers. Also, warnings for any user-input field cast a wider net than login and payment pages, given the frequency of pages with a search box.
Site owners have about six months from now to enable HTTPS with Chrome 62 due for stable release on October 24.
One site owner discovered the consequences of not enabling HTTPS on payment and login pages in March, and, amusingly, filed a bug report to Mozilla requesting the warnings be removed.
Chrome 62 will also introduce warnings for all HTTP pages when the user selects Chrome’s Incognito mode.
“When users browse Chrome with Incognito mode, they likely have increased expectations of privacy. However, HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode,” said Schechter
Google hasn’t said how or when it will expand non-secure warnings to more HTTP pages but it will eventually label all HTTP pages insecure. When that happens, it will display ‘Not secure’ in red, which is today only used for broken HTTPS.
According to Google’s HTTP Transparency Report, over half of all pages are viewed over HTTPS on the desktop. For Chrome OS, 71 percent of pages are loaded over HTTPS, while 58 percent are for Chrome on Windows. While it is becoming more common for sites to enable HTTPS, dozens of the world’s most popular sites still have not.