Google to slap warnings on non-HTTPS sites

chrome-logo

How do you shame an unencrypted website?

The bard might advise that your sites be foul, undigested lumps, and the developers scullions! Rampallians! Fustilarians!

Then he’d likely threaten to tickle their catastrophes and their venomous toad-tainted nonencryptiousness.

Google Chrome, on the other hand, plans to strip it down: starting in January 2017, the browser will start flagging some unencrypted sites as plain old “Not Secure.”

OK. Well. It’s a start.

The “NS” label is the first step in Google’s eventual plan to shame all sites that don’t use encryption.

On Thursday, Emily Schechter, of the Chrome Security Team, said on the official Google security blog that the first step is to flag HTTP sites that transmit passwords or credit cards.

Then, it’s on to all the other obscene, greasy tallow-catches.

Google’s been pushing toward all-HTTPS for a while now.

In March 2014, during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state, Google started using an always-on HTTPS connection and encrypting all Gmail messages moving internally on its servers.

At that time, only 50% of requests handled by Google were encrypted.

That meant that some of the web’s most trafficked locations were vulnerable: major news sites, for example, where intruders tinkering with content or spying on us could have major repercussions.

The percentage of encrypted sites has gradually climbed over the past two years. In March, Google’s Transparency Report said that it was securing 75% of our non-YouTube internet traffic.

The company also said that its aim was to hold itself accountable and to encourage others to encrypt so the web would be all that much safer for everyone.

That 75% obviously reflected progress over two years, but it still left 25% of traffic “in the clear,” as cryptographers put it.

That means that the HTTP sites aren’t using the encryption that’s commonly referred to as HTTPS. When a site’s using it, a browser’s address bar will show a padlock.

Without the S added to “HTTP” and the padlock, traffic is traveling without the encryption standard, Transport Layer Security (TLS).

It’s important to note that HTTPS isn’t only about confidentiality – which is how most people think of encryption – but also about authenticity and integrity, which in many cases are even more important.

This means that, without HTTPS, eavesdroppers can not only access the data flowing over the internet, seeing everything we do on a site, but can also intercept it and manipulate it.

When traffic is unencrypted, it opens up our online activities to anyone using the same Wi-Fi at the local coffee shop, who can steal our passwords or banking information. It also enables our online activity to be tracked and sold to advertisers by Internet Service Providers (ISPs).

It allows both governments and cybercriminals to keep an eye on what sites we’re visiting and what we’re reading, as well to alter what we see and where we go, whether that’s to censor content or to divert our banking transactions to the wrong recipients.

Beyond the uptick in encrypted traffic, there have been other improvements: Google recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS.

In addition, since February, when Google released a report on which top sites were using HTTPS, twelve more of the top 100 websites changed their serving default from HTTP to HTTPS.

As it now stands, Chrome indicates HTTP connections with a neutral indicator that doesn’t even hint at the true lack of security for HTTP connections, Schechter explained.

Here’s the plan: starting in January with Chrome 56, password or credit card form fields on non-encrypted sites will be labeled “not secure.”

Then, in following releases, those HTTP warnings will be extended: for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.

Eventually, all HTTP pages will be labeled non-secure, and the HTTP security indicator will change to the red triangle/exclamation mark that Google uses for broken HTTPS.

Sounds great, for sure, and hopefully Google will manage to do it in a way that users won’t ignore. As Google is no doubt aware, people ignore security alerts up to 87% of the time.

Google isn’t pretending that encryption is easy, but it does offer reassurances that it’s not quite as onerous, or expensive, as it’s previously been.

Google notes that encryption also enables both the best performance the web offers and powerful new features that are too sensitive for HTTP.

Google’s offering set-up guides to get started.

So, obviously, developers, be you as chaste as ice, as pure as snow, but still you turn from encryption, you shall not escape calumny. Get you to an encryptionery.

Go! Farewell! We hope to welcome you anon soon to the land of HTTPS!