Spotting Insecure Websites Requires More Than Google's Red X
NEWS ANALYSIS: Google’s plan to flag websites as insecure depending on their support of the HTTPS protocol is well-intentioned. But it misses the mark in terms of flagging what’s secure and what’s not.As you have probably heard by now, Google is apparently planning to change the way it flags websites according to their perceived security level. To do this, according to media accounts, Google’s Chrome browser will display a red X adjacent to the Web address in the browser’s address bar. The existence of this marking is supposed to alert site visitors that the page they’re visiting doesn't have the ability to encrypt their communications. In one sense, this is a nice idea. It’s easier to misdirect a browsing session if the site isn’t encrypted and thus equipped with a security certificate. It’s also easier to intercept your browsing session when you are sending or receiving sensitive information if all you’re using is HTTP. However, it’s important to note that just flagging a site as insecure because it doesn't use encryption is no guarantee of security, nor is it an indication that there’s anything insecure or risky about a site that’s not encrypted. In fact, by sending traffic preferentially to encrypted sites, Google is placing smaller sites and sites run by individuals at a significant disadvantage without any offsetting benefit to Web users.
In effect, that red X can effectively be a scarlet letter of shame for websites that have no security lapses other than not supporting HTTPS. What’s worse is that Google is planning to enforce its security plans by demoting sites without HTTPS in its search rankings. Small sites and sites run by individuals may not feel that spending $200 per year to set up a site with Secure Sockets Layer (SSL) is worth the cost or even something they can afford at all.