Google plans to introduce a warning system to alert users about potential security risks when they visit websites that do not use the HTTPS protocol.
Starting in 2015, users of Google’s Chrome browser who visit an HTTP site will receive an alert that the site may not be fully secure. Initial alerts will simply mark a non-HTTPS site as having ‘Dubious” security but at a future date, Chrome will start labeling such sites as ‘Non-secure."
“The goal of this proposal is to more clearly display to users that HTTP provides no data security,” members of the Chrome Security Team said in a blog post.
“We all need data communication on the web to be secure (private, authenticated, untampered),” the blog noted. When a site offers no security, users need to be informed about it so they can decide how, and whether to interact with the site.
A Google source close to the effort said the company plans on starting up the system throughout next year. But the company does not have specific timing details for websites yet, the source said.
HTTPS websites use Secure Socket Layer (SSL) encryption to protect traffic between the client and server. The digital certificate that is used to encrypt the session also serves to authenticate the website, thereby providing another level of assurance for the user. HTTPS websites offer much better data protection for users than HTTP sites and protect against man-in-the-middle attacks and spoofed Websites.
Popular browsers like Chrome, Firefox and Internet Explorer use a padlock icon in the navigation bar to indicate if a website uses HTTPS or not. Going forward, Google’s plan is to have Chrome affirmatively indicate if a website is insecure because it uses HTTP.
Google’s proposal is part of an ongoing effort by the company to encourage broader adoption of HTTPS. Though HTTPS has been available for a long time, many sites still do not employ it.
A survey of the top 100 e-commerce sites by High-Tech Bridge in December 2013 for instance showed that only two sites automatically ensured their customers used secure HTTPS when placing orders or putting items in the shopping cart. About 27 percent did not use HTTPS at all for non-critical portions of their Websites while 7 percent did not enforce HTTPS even for functions like checkout, payment and logins.
Earlier this year, Google said it would start considering a Website’s use of HTTPS when ranking the site in its search service. Sites that use the secure protocol will be viewed more favorably from a search-engine ranking perspective than HTTP sites.
In order to give website owners time to move to HTTPS, Google will attach only modest significance to HTTPS use at least initially. “But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS,” trend analysts from Google wrote earlier this year.
Google has also begun encouraging website owners to stop using the SHA-1 hash algorithm in certificate signatures for HTTPS. SHA-1 has been shown to be broken and vulnerable to attacks that it was originally designed to protect against, two security engineers wrote in September.
“We plan to surface, in the HTTPS security indicator in Chrome, the fact that SHA-1 does not meet its design guarantee.” The warnings will range from a “secure, but with minor errors” notice to “affirmatively insecure.”