Google Chrome update to label HTTP-only sites insecure within WEEKS
Winter HTTPS is coming
A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings.
From July, Chrome will name and shame insecure HTTP websitesREAD MORE
The changes will come for surfers once Chrome 68 stable updates go live on 23 July. After then, any web page not running HTTPS with a valid TLS certificate will show a "Not Secure" warning in the Chrome address bar. The warning will apply both to internet-facing websites and corporate/private intranet sites accessed through Chrome, which has about a 60 per cent share of the browser market.
SSL certificate firm DigiCert released research on Tuesday that found 43 per cent of the Alexa top million sites used HTTPS by default, while a W3Techs June survey reported that HTTPS is the default protocol for 35.6 per cent of the top 10 million websites. Many smaller and less-visited sites may still rely on HTTP.
Security researcher Scott Helme makes use of web crawlers to collect daily data on the top million sites. He's an advocate of HTTPS-everywhere and has spoken at several conferences on the topic.
"The July update to Google Chrome is a significant milestone in the progress to ensuring the web is safer for all to use," Helme told El Reg. "We've been rapidly advancing towards an encrypted web for years but staggering progress has been made in the last two years. I've been tracking an accelerated rate of adoption for HTTPS across the web and other independent research also confirms that this is indeed the case."
Helme said he welcomed the changes to be brought by mainstream Chrome releases at the end of the month because the security status of a site will be far more visible. Instead of being obliged to check for a padlock to check a site is secure, surfers will be confronted with a warning if it isn't.
Symantec cert holdout sites told: Those Google Chrome warnings are not a good lookREAD MORE
"The move to mark HTTP as 'Not Secure' is also being followed by plans to simplify the HTTPS indicators too, the two approaches go hand in hand," Helme said. "As HTTPS becomes more and more the default, it makes no sense to keep the 'Secure' indicator present, the browser should only tell us when something notable happens. Going forwards the notable thing is set to become that the connection was [insecure], and not that it was secure, proving that encrypted communications have become the expectation and not the exception."
Security consultant Paul Moore added a note of caution, pointing out that even HTTPS sites can have vulnerabilities.
"I remain concerned by the insinuation that a site is 'secure' simply because they deploy TLS. That's clearly not what Google are suggesting... however, the target demographic (the general public) are unlikely to understand the difference and will likely use 'secure' as an umbrella term to describe the entire site, rather than the connection itself."
The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS. The web has made great strides in that direction of late but there's still work to be done. "Many sites need to catch up to avoid the 'Not Secure' warnings," said DigiCert chief product officer Jeremy Rowley. "We urge IT administrators to check the sites they look after and deploy the appropriate TLS certificates.
"In some instances, administrators may believe they don't need certificates on all pages, but incorrect configuration and deployment will still lead to warnings within Chrome."
Research from earlier this year by Ipsos found that the vast majority (87 per cent) of internet users will not complete a transaction if they see a browser warning on a web page. More than half (58 per cent) of respondents said they would go to a competitor's website to complete their purchase. European surfers were confronted by privacy update notices at multiple sites as a lawyer-mediated and probably intended side effect to the introduction of GDPR. Whether or not this would have any effect on responses to browser warnings is unclear.
Although Chrome is the first browser to deploy such a visible warning system on non-HTTPS websites, it's likely that Microsoft, Apple and Mozilla will follow suit. Rowley added: "HTTP 2.0 requires TLS encryption in major browsers. As the major browsers migrate to the newer technology, websites will find certificate deployment becoming increasingly important." ®
Sponsored: Becoming a Pragmatic Security Leader