OAKLAND–The security engineers at Google have spent years working on improving the security and reliability of Chrome, and it’s had a remarkable effect. They’re not satisfied with just raising the security bar for one browser, though, and now are pushing the rest of the industry and the web community at large to get with the program.
Because of its position, Google can influence much of what users see in terms of the security notifications and warnings when they hit a potentially malicious site or receive a suspicious email. Through its Safe Browsing API, which is used by most of the other browser vendors, Google can deliver warnings to a huge portion of the online community. In much the same way, the company can exert a lot of influence on the way users see sites that have secure connections as well as ones that don’t.
Google has been rolling out a series of changes in its Chrome browser in the last few months that give users more information about how secure a site’s connection is, with the goal of not-so-gently nudging more sites in the direction of deploying HTTPS. As of Chrome 56, Google now marks HTTP pages as not secure. That’s a small, but significant change in the browser’s behavior and it is meant not only to warn users but also to put the stick to sites that are lagging behind on HTTPS rollouts. Secure connections are vital for both security and privacy reasons, and Google’s engineers want more sites to get on the HTTPS bandwagon.
“We focus on the areas with the most immediate security consequences.”
And by more, they mean all.
“The collection of sites that we browse through says a lot about our identity and our intentions. APIs exist that allow sites to know more about us than ever before,” Emily Schechter, product manager for Chrome security at Google, said in a talk at the Enigma conference here Monday. “So why don’t all sites just turn on HTTPS right now? Well it turns out that turning on HTTPS involves overcoming some challenges that aren’t strictly technical. It can be difficult to convince decision makers that this migration is important enough to overcome these challenges.”
Many of those obstacles involve cost, both financial and computational. HTTPS connections can be somewhat slower that plaintext ones, and rolling out HTTPS across a large infrastructure is a significant project. But, as Schechter pointed out, much of the performance hit can be dealt with through optimization now and there are financial benefits to turning on HTTPS, such as higher conversion rates on commercial sites.
The responsibility for changing executives’ minds about HTTPS deployments often falls to the security team, and Schechter said it’s time to adjust that conversation.
“We must change the way we talk about HTTPS. There are now real business benefits to migrating,” she said. “It unlocks features that measurably benefit consumers and there are ways to mitigate the real and unavoidable hurdles.”
Another change that Google is making as part of this effort is requiring that the most powerful web APIs use HTTPS. Eventually, the company would like to get to the point where all APIs use secure connections, but Schechter said it’s a process. In the meantime, Google will continue to evolve the way Chrome handles secure and plaintext connections and keep pushing site owners to move to HTTPS as soon as possible.
“We focus on the areas with the most immediate security consequences,” Schechter said. “We’re on a mission to be honest with our users without inducing panic or chaos.”