Sites that send sensitive user data over HTTP will soon find their pages marked as insecure in Google Chrome.
The company is planning to begin marking as insecure pages that send information such as passwords or credit card numbers over HTTP rather than HTTPS. The change is a major one, but it’s just one step in a process that will eventually see Chrome designate all HTTP pages as insecure, Google officials said Thursday. The intermediate change will take place in January, with the release of Chrome 56.
“Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure,” Emily Schechter of the Chrome security team said in a post explaining the change.
“Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.”
Right now, Schechter said, more than half of all Chrome pages served to desktop users are sent over an HTTPS connection. Eventually, as users become more used to the changes in Chrome, Google will start marking every HTTP page as insecure, a clear signal to site owners and users.
“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” Schechter said.
One of the arguments against using HTTPS by default on many sites was the performance hit, but that problem has been solved for the most part.