Google's Chrome is about to get rather in-your-face about HTTPS
More warnings for users, downgrading insecure APIs
Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting this week the hammer is coming down.
In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 websites support HTTPS and 44 per cent default to it. However there's still a lot of work to be done, and she outlined future plans.
Chrome is being rolled out and as announced, the browser bar icon for non-HTTPS connections has been changed so users get the written warning: “Not secure.” Google is adding a similar warning box to the autocorrect feature on password form pages and sites asking for login pass phrases and credit card details over HTTP.
“We want to avoid warning fatigue for users, but we also want secure connections,” Schechter said.
Firefox has had similar wording in its developer builds for some time now, but Schechter said that in the next stable build of Firefox, similar warning messages will be displayed. The same will be true for later browser builds if necessary.
In addition to encouraging users to switch, Google wants companies on their side. Traditionally businesses have been slow to get on board with HTTPS, due to expensive certifications and problems getting ad revenue and SEO information.
Those problems have eased, she said, with very little price premium (if any) for HTTPS certification – thanks to free Let's Encrypt certs. As for ad revenues, over 80 per cent of Google ad requests now go through HTTPS, with other ad networks showing similar figures. Incidentally, The Register can be viewed over HTTPS, from our forums login to white papers to editorial articles – hats off to our tech team for that.
Of the tech news sites I picked on 3 months ago for not having TLS, only @TheRegister managed to implement it before Chrome 56 dropped— Dawnstar Australis (@dawnstarau) January 30, 2017
Schechter said that businesses and developers would really benefit from HTTPS. That’s the carrot, and Google also has a stick to wield just in case.
The Chocolate Factory is going to start degrading the effectiveness of powerful APIs capable of slurping lots of useful data, unless it’s done securely. Google has already downgraded the Geolocation APIs, and anyone using getUserMedia(), encrypted media extensions, or AppCache will also have severe limitations unless they are on an HTTPS connection.
There will be optimized code in Chrome for transport layer security, notably in session resumption and false start functions. Conversely, features like Brotli compression will be performance-limited on insecure connections.
This is fair enough, considering the kind of data we’re talking about, Schechter argued. Geolocation can reveal an internet user’s home or work address, and be used for tracking. Such data needs to be more secure, she argued, and that need is only growing stronger. ®