Chrome turns the screw ever tighter in Google’s encryption crusade

You might remember how, in January, Google started shaming sites that don’t use encryption when dealing with passwords or credit cards.

That was just a first step. Get ready for the screws to be tightened down yet again on sites that fail to scramble the data that flows between you and the websites your visit.

Namely, in a few weeks, the “Not secure” label is going to spring up in two additional, common scenarios: when users enter any data at all on an HTTP page, and on all HTTP pages visited in Incognito mode.

The stronger push toward HTTPS is coming in Google Chrome 62, due to ship on 17 October for Mac/Windows/Linux. An update of Chrome OS will arrive a week later.

As Google explained in April, these next steps toward more connection security are necessary because we need everything we type into a website to be private as it flies across the internet to its destination (and to be sure that destination is the one we think it is), not just passwords and credit cards:

Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.

Likewise, the Not secure label makes sense for Google’s Incognito mode, given that Incognito users very likely expect privacy, according to Emily Schechter from the Chrome Security Team. Incognito mode or no, they aren’t getting that privacy if they’re on an HTTP page, she said.

HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode.

This is just the latest stick in Google’s years’ long carrot-and-stick battle to get sites to encrypt. One of the earliest sticks was an announcement the company made in 2014 about sites getting a better chance of ranking well in Google searches if they use encryption.

At the time Naked Security’s Mark Stockley said it might prove to be an inflection point for web security and, three years later, he thinks it was:

Making security a ranking signal for searches was a clear sign that Google meant business. Before the announcement marketing departments had no reason to talk about HTTPS, now it’s on everyone’s SEO [Search Engine Optimisation] checklist.

Last month, Google moved its focus beyond HTTP and zeroed in on yet another protocol that lacks security: FTP (File Transfer Protocol). By the time Chrome 63 is released in December, all FTP resources will be marked as “Not secure” in the browser’s address bar.

Plus, earlier this month, Google announced that it will use HSTS (HTTP Strict Transport Security) preloading to make encryption mandatory for sites using any of 45 Top-Level Domains it’s controlled since 2015 as part of its domain registrar business.

That’s a big deal: it means that browsers will come pre-loaded with instructions that force them to use HTTPS to communicate with millions of sites, even if users click on links that start with http://.

In other, good-for-users news, Google is reportedly planning to block what’s known as tab-under behavior in Chrome.

According to Bleeping Computer, which says it’s seen a relevant Google document, “tab-under” behavior is what Google calls it when a site duplicates the page you’re reading in another tab and then shows an ad in the tab you’re looking at. Tab-under is a money-making ploy by advertisers: the payoff is revenue from ad impressions and redirection fees, but users don’t like it. Google engineers are reportedly looking at three ways to block tab-unders, and the first place we’ll see the new blocking will be in Chrome Canary.

But back to the encrypt-everything crusade: it’s been going on a while now, ramping up particularly during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state. In 2014, Google itself went full out when it started forcing Gmail users to use HTTPS.

At that time, only 50% of the web requests handled by Google servers were encrypted.

That meant that some of the web’s most trafficked locations were vulnerable. The percentage of encrypted sites has gradually climbed over the past three years. By March 2016, Google’s Transparency Report said that it was securing 75% of the non-YouTube internet traffic it handled.

As far as the overall percentage of encryption goes, a report released by the Electronic Frontier Foundation in February said that half of all web traffic is now encrypted.

We’re not at full encryption yet, but as the screw turns it is slowly becoming the rule rather than the exception.