NEARLY TWO YEARS ago, Google made a pledge: It would name and shame websites with unencrypted connections, a strategy designed to spur web developers to embrace HTTPSencryption. On Tuesday, it finally is following through.
With the launch of Chrome 68, Google now will call out sites with unencrypted connections as “Not Secure” in the URL bar. The move flips the convention of how Chrome displays the security of sites on its head. Previously, pages that deployed HTTPS-enabled encrypted connections featured a green lock icon and the word “Secure” in the URL bar. HTTP sites had a small icon that you could click for more information; if you did, it read “Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.”
It’s a warning worth heeding. Under an unencrypted HTTP connection, any information that you send across the web can be intercepted by a hacker or other bad actor. In extreme cases, like in what are called man-in-the-middle attacks, someone could pose as a destination site—tricking you into handing over your credentials, credit card info, or other sensitive information.
“Encryption is something that web users should expect by default,” says Chrome security product manager Emily Schechter.
The use of HTTP has privacy implications as well. If you’re browsing on an unsecured connection, your internet provider and any bad actors can hypothetically see not just which site you’re on, but what specific pages. Not so with HTTPS, a benefit that has clear implications for, say, adult sites. Even innocuous sites—pages that neither ask for nor contain sensitive information—have good reason to embrace it.
“You may occasionally be in a coffee shop. If you go to a non-HTTPS site, sometimes you’ll get ads that pop over the page. Those aren’t ads from the web page; they’ve been injected somewhere along the way. That kind of behavior is what HTTPS overcomes,” says Ross Schulman, senior counsel at New America’s Open Technology Institute. “It’s not just ads. Malware is served this way, a lot. It’s not just about making sure that user information is private; it really ensures the integrity of the website.”
Sticking a warning sign in front of unencrypted sites is just one step in a broader ongoing plan. In January 2017, Chrome put a warning on sites that asked for credit card information. Several months later, they instituted it on HTTP sites in so-called incognito windows.
Despite the broader security benefits, Google’s HTTPS push is not without its critics. Developer Dave Winer, one of the creators of RSS, objects to what he views as Google imposing its will on the open web. “The fact is that they’re forcing it,” says Winer, who also wrote a detailed objection in February. “They’re just the tech industry. The web is so much bigger than the tech industry. That’s the arrogance of this.”
Winer worries that forced HTTPS adoption—and scolding sites that don’t embrace it—will penalize web developers who don’t have the wherewithal to implement it, and potentially cordon off older, passively managed corners of the internet. He also says that Google won't stop here: “Was this the only way to achieve this end? Because this is draconian. If this were done properly, it would have been deliberated, and a lot of people who aren't in the tech industry would have had a say in it.”
For what it’s worth, Chrome is not alone in posting warnings next to HTTP sites; Firefox has explored it also. Between the two, they hold 73 percent of browser market share. In addition, Google notes that the vast majority of Chrome traffic—76 percent on Android, and 85 percent on ChromeOS—already travels across an HTTPS connection. Gains have come not only from Google, but also from a broader push toward HTTPS that ranges from hosting sites like WordPress and Squarespace, to internet infrastructure firms like Cloudflare, to Let’s Encrypt, which provides free certificates that enable HTTPS connections. As of Tuesday, Let's Encrypt is encrypting 113 million sites.
“It’s not like you need a big IT department or a ton of money to turn on HTTPS. Particularly for small, simple sites, it should be extremely easy and straightforward,” Schechter says.
The ubiquity of HTTPS was no sure bet as recently as two years ago, when only 37 of the top 100 sites on the web used it. Now, according to Google, 83 do. (WIRED made the jump in 2016, in a rollout that took five months and no small number of headaches.) Let’s Encrypt in particular has been a boon to smaller site operators.
“Expecting every website to enable HTTPS would have been unreasonable prior to the existence of Let's Encrypt, which lowers financial, technical, and educational barriers to enabling HTTPS,” says Josh Aas, cofounder of Internet Security Research Group, the organization behind Let’s Encrypt. “Our focus on ease of use at scale has been a primary driver behind the incredible growth in HTTPS deployment in recent years.”
In many ways, Tuesday’s announcement is just the continuation of a plan to promote HTTPS around the web. In September, Google will remove the “Secure” indicator next to HTTPS sites, a sign that encrypted connections largely have become the default posture online. And in October, if you attempt to enter data on an HTTP page, Chrome will show you a “not secure” warning in red.
The web still has dangers plenty, and HTTPS may take a toll on certain sites that can’t or won’t upgrade. But at least from now on you can make a baseline assumption that your connection is secure. Because if it’s not, Chrome will tell you.