Chrome will finish the era of HTTP
Google's promote for all websites to be HTTPS. At the same time, they mark with a large red cross every website that doesn't provide an encrypted connection.
A year after Google's Chromium Security team proposed marking all HTTP sites which are unsecured, the company is preparing to implement the policy in Chrome.
As the company emphasized in its proposal in 2014, HTTP sites provide no data security to users, so why don't browsers warn users of this fact, say, by displaying a red cross over a padlock next to the URL instead of the status quo, which is no warning at all?
An effective cooperation
Google called on Apple, Microsoft, and Mozilla to reverse the situation completely, so that one day the only unmarked sites are those that have enabled the more secure protocol, HTTPS.
With HTTPS, the connection to users is encrypted and the site's digital certificate has been verified by a third-party certificate authority. The new marking in Chrome is designed to be the stick to the carrots Google has dangled to encourage wider adoption of HTTPS.
Google states that properly secured connections can frustrate surveillance attacks on the web. In 2014, it began using HTTPS as a positive ranking signal and in December adjusted its indexing system to crawl for HTTPS equivalents of HTTP pages and prioritize them where they're available.
Chrome users can look at how the markings would work by typing chrome://flags/ in the URL bar and enabling the experimental feature 'Mark non-secure origins as non-secure'.
It is not clear yet when Google will introduce the new marking system by default in Chrome, though some observers, such as Eric Mill from the US General Services Administration's tech savvy unit 18F, have taken it as a sure sign the plan will proceed.
Google's Chromium issue tracker also indicates it is pressing ahead with the feature: Our goal is to mark non-secure pages like HTTP, using the same bad indicator as broken HTTPS, since this
- is more accurate than marking such pages as neutral
- simplifies the set of security indicators.
And as the company prepares to begin marking HTTP as bad, it has also released new tools to help developers deploy HTTPS.
Recently, Google has announced Security Panel, a new developer tool in Chrome that will help them identify common issues preventing sites from attaining the green padlock that represents a properly secured connection.
The tool will check the validity of a digital certificate and whether the site is using a secure protocol, cipher suite, and key exchange.
It will also help pinpoint the source of mixed content issues, such as a non-secure image on an otherwise secured page, which today in Chrome will trigger a grey padlock with a yellow triangle.
Ardas effective team will monitor this case and we will inform you about future updates. Follow our blog to find out more useful info.
Your Ardas Team