Google Is Cracking Down on Insecure Websites in a Big Way
Stop trusting websites that use HTTP.
Google Chrome is going to annoy people into making the internet a safer place.
The company said today that it’s planning to warn consumers that websites using HTTP instead of its newer, more secure HTTPS counterpart are insecure. This warning is going to affect websites that deal with passwords or credit card data in January 2017, and will later expand to include all websites.
In other words, if your website is unsecured (starts with HTTP://www and not HTTPS://www), visitors are going to see a big old red warning up in their address bar near the site.
“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy,” the company explained in this morning’s blog post. “Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
Google has planned to do something like this since at least 2014 and has reaffirmed its position several times throughout 2016. Now the company is providing clear guidance about how it’s going to tackle this problem, why it thinks these changes are necessary, and when people will notice a difference.
This is just one way Google is attempting to improve Google Chrome’s security. The company is also working on post-quantum encryption so it can secure data even after quantum computing breaks current encryption tools. That research is theoretical, though, while promoting HTTPS is practical.
Others are also trying to get website operators to switch to HTTPS. Let’s Encrypt, an initiative run by the Electronic Frontier Foundation, said in March that it had already issued 1 million certificates so website owners could use the protocol. HTTPS is the internet’s future — Google and the EFF are just helping it along.
Below is the change Google plans to make with Google Chrome in January. It’s subtle, but when it takes up more space in people’s web browsers and plainly says that a website is not secure, people are bound to notice.
If that has even a slight effect on the websites they choose to visit, operators are going to have to respond, and that will be a good thing for everyone who uses the internet.