Spotting Insecure Websites Requires More Than Google's Red X

NEWS ANALYSIS: Google’s plan to flag websites as insecure depending on their support of the HTTPS protocol is well-intentioned. But it misses the mark in terms of flagging what’s secure and what’s not.

Web Site Encryption

As you have probably heard by now, Google is apparently planning to change the way it flags websites according to their perceived security level.

To do this, according to media accounts, Google’s Chrome browser will display a red X adjacent to the Web address in the browser’s address bar. The existence of this marking is supposed to alert site visitors that the page they’re visiting doesn't have the ability to encrypt their communications.

In one sense, this is a nice idea. It’s easier to misdirect a browsing session if the site isn’t encrypted and thus equipped with a security certificate. It’s also easier to intercept your browsing session when you are sending or receiving sensitive information if all you’re using is HTTP.

However, it’s important to note that just flagging a site as insecure because it doesn't use encryption is no guarantee of security, nor is it an indication that there’s anything insecure or risky about a site that’s not encrypted. In fact, by sending traffic preferentially to encrypted sites, Google is placing smaller sites and sites run by individuals at a significant disadvantage without any offsetting benefit to Web users.

In effect, that red X can effectively be a scarlet letter of shame for websites that have no security lapses other than not supporting HTTPS. What’s worse is that Google is planning to enforce its security plans by demoting sites without HTTPS in its search rankings. Small sites and sites run by individuals may not feel that spending $200 per year to set up a site with Secure Sockets Layer (SSL) is worth the cost or even something they can afford at all.

What’s worse is that a site running HTTPS can still be insecure; it can still host malware and it can still lead to a phishing site. The only difference is that you’ll feel warmer and fuzzier while it’s doing it.

Still, in many cases insisting on an SSL connection provided by an HTTPS site can be very important. Any site that’s doing ecommerce in any way at all needs a secure connection. If you don’t see the green padlock or the green address bar on your browser, then you don’t want to use it to share anything that includes personal or financial information.

I’m not suggesting that using an SSL-enabled website isn’t a good idea, because it is. It’s just that using SSL, which is what you get with an HTTPS page, is no guarantee of security. Likewise, just because you don’t see an indication that a page is secure is no indication that the page is inherently dangerous in any way.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...