Google's Chrome Browser May Soon Mark HTTP Sites Unsafe

Google reportedly plans to introduce a feature in its Chrome browser that warns users when they land on a HTTP site.

Google Chrome, secure browser

Google is reportedly getting ready to implement a proposal it made slightly more than a year ago to include a feature in its Chrome browser that will warn Internet users when they land on an unencrypted HTTP Website.

The plan apparently is to have Chrome display a red "X" over a padlock icon in the URL bar when a user visits an HTTP Website, Motherboard said in a report earlier this week. Google has not publicly reported when it plans to formally introduce this feature. But a Google employee who wanted to remain anonymous confirmed that it could happen soon, Motherboard said.

Google did not respond immediately to a request seeking confirmation of its reported plans.

The company, however, has previously noted that it wants to give users a way to know when they are on a potentially unsafe site. The company has for sometime now said that it considers sites using plain HTTP to be unsafe and not sufficient to protect a user's privacy or data online. It has been encouraging Website owners to deploy HTTPS so traffic between the user's browser and the Website remains encrypted at all times.

Many browsers, including Chrome, indicate affirmatively when a user is on a secure HTTPS page. Chrome also warns users about sites that Google considers unsafe because of malware, spam or other potential security issues. However, for the moment, Chrome like other browsers does nothing affirmatively to alert users when they are on a plain HTTP site. All that the browser shows in the URL bar when a user is on a HTTP page is an icon of a blank page.

Google wants to change that to spur more Website owners to implement HTTPS. "HTTP provides no data security," Google software engineer Chris Palmer had posted on the Chromium Project site in December 2014 when first announcing the company's proposal to implement the new feature in Chrome.

At that time, he had noted that Google would devise and start deploying a transition plan for Chrome sometime in 2015. "We all need data communication on the Web to be secure (private, authenticated, untampered)," he noted.

"When there is no data security, the [browser] should explicitly display that, so users can make informed decisions about how to interact with an origin."

The company has pointed to incidents like the National Security Agency's use of Google cookies to identify targets for surveillance and Verizon's use of its "perma-cookie" technology to track users as reasons why HTTP is no longer sufficient to protect Internet users.

While people might observe a warning sign, they do not perceive the absence of one, Palmer noted. Yet the only situation where Web browsers do nothing to warn users is when they are on an HTTP site and have no chance of security, he said.

The company has insisted that its plan to introduce the new feature in Chrome will not break plain HTTP sites but merely introduce a new security alerting capability. It has also downplayed concerns over the expense that Websites might have to incur to obtain the Secure Sockets Layer (SSL) certifications needed to implement HTTPS. Some providers offer free or inexpensive certificates that Websites can use, the company has said. And efforts like the Let's Encrypt project give Websites easy access to free certificates, Google has pointed out.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.