You might remember how, in January, Google started shaming sites that don’t use encryption when dealing with passwords or credit cards.
That was just a first step. Get ready for the screws to be tightened down yet again on sites that fail to scramble the data that flows between you and the websites your visit.
Namely, in a few weeks, the “Not secure” label is going to spring up in two additional, common scenarios: when users enter any data at all on an HTTP page, and on all HTTP pages visited in Incognito mode.
The stronger push toward HTTPS is coming in Google Chrome 62, due to ship on 17 October for Mac/Windows/Linux. An update of Chrome OS will arrive a week later.
As Google explained in April, these next steps toward more connection security are necessary because we need everything we type into a website to be private as it flies across the internet to its destination (and to be sure that destination is the one we think it is), not just passwords and credit cards:
Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
Likewise, the Not secure label makes sense for Google’s Incognito mode, given that Incognito users very likely expect privacy, according to Emily Schechter from the Chrome Security Team. Incognito mode or no, they aren’t getting that privacy if they’re on an HTTP page, she said.
HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode.
This is just the latest stick in Google’s years’ long carrot-and-stick battle to get sites to encrypt. One of the earliest sticks was an announcement the company made in 2014 about sites getting a better chance of ranking well in Google searches if they use encryption.
At the time Naked Security’s Mark Stockley said it might prove to be an inflection point for web security and, three years later, he thinks it was:
Making security a ranking signal for searches was a clear sign that Google meant business. Before the announcement marketing departments had no reason to talk about HTTPS, now it’s on everyone’s SEO [Search Engine Optimisation] checklist.
Last month, Google moved its focus beyond HTTP and zeroed in on yet another protocol that lacks security: FTP (File Transfer Protocol). By the time Chrome 63 is released in December, all FTP resources will be marked as “Not secure” in the browser’s address bar.
Plus, earlier this month, Google announced that it will use HSTS (HTTP Strict Transport Security) preloading to make encryption mandatory for sites using any of 45 Top-Level Domains it’s controlled since 2015 as part of its domain registrar business.
That’s a big deal: it means that browsers will come pre-loaded with instructions that force them to use HTTPS to communicate with millions of sites, even if users click on links that start with http://.
In other, good-for-users news, Google is reportedly planning to block what’s known as tab-under behavior in Chrome.
According to Bleeping Computer, which says it’s seen a relevant Google document, “tab-under” behavior is what Google calls it when a site duplicates the page you’re reading in another tab and then shows an ad in the tab you’re looking at. Tab-under is a money-making ploy by advertisers: the payoff is revenue from ad impressions and redirection fees, but users don’t like it. Google engineers are reportedly looking at three ways to block tab-unders, and the first place we’ll see the new blocking will be in Chrome Canary.
But back to the encrypt-everything crusade: it’s been going on a while now, ramping up particularly during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state. In 2014, Google itself went full out when it started forcing Gmail users to use HTTPS.
At that time, only 50% of the web requests handled by Google servers were encrypted.
That meant that some of the web’s most trafficked locations were vulnerable. The percentage of encrypted sites has gradually climbed over the past three years. By March 2016, Google’s Transparency Report said that it was securing 75% of the non-YouTube internet traffic it handled.
As far as the overall percentage of encryption goes, a report released by the Electronic Frontier Foundation in February said that half of all web traffic is now encrypted.
We’re not at full encryption yet, but as the screw turns it is slowly becoming the rule rather than the exception.
Warren Schwader
When 100% of Adsense ads are encrypted then I’ll encrypt my site. That is the screw that needs to be turned next. Luckily I don’t have users input anything so my site is least risky, but I still would like to get it done without losing revenue.
Curious
Doesn’t Firefox do this already with passwords?
Kurt S
Well, I think that this is a darn good idea. Since there is a huge number of users out there that will pay heed to the risks associated with the Internet, making security the DEFAULT might just keep ’em a little bit safer.
Arthur Speer
Now that’s stupid. I don’t need encryption for writing a comment (that will be public anyway) or for entering my zip code to see shops near me… I may *want* it, but it’s not *needed* in the sense that it would be a major vulnerability to send such data unencrypted like it is with passwords.
Mark Stockley
It’s very difficult for browsers to determine the nature, sensitivity and context of data being entered into a web form.
There is no semantic markup that represents an SSN field or a credit card number for example so a browser attempting to trigger a warning if you attempt to send an SSN or credit card number over an HTTP connection has to guess. But of course it isn’t just those two data types, if you wanted to force HTTPS for all data that *needs* to be encrypted but not for those that don’t you’d have to determine every possible type of sensitive data, each way that data might be represented, the sensitivity of that data in a given locale and all the possible translations (and you’d be giving yourself a moving target to hit.)
The alternatives are: no warnings – which leaves users at the mercy of websites that don’t encrypt data that needs to be encrypted other than passwords; warnings for all unencrypted data, which guarantees that all data that needs to be encrypted is.
I’d say this change to Chrome isn’t just not stupid, it’s probably the only non-stupid approach available.
HTTPS also tells you who or what you are talking to and if your requests are being intercepted, it prevents modification of the data on-the-wire, preventing things like ad-injection, and if everyone uses encryption, nobody looks suspicious, and no data stands out as being higher value, just because encryption is being used.
Paul Ducklin
As Mark has already pointed out, HTTPS isn’t just about encryption, though everyone zooms in on that.
HTTPS is about improving end-to-end correctness in all senese, and when you are posting a public comment that could come back to you, I’d say you want HTTPS to the point that you should consider it a need.
Cryptography isn’t only about secrecy, but at least as much about integrity (so no one can change your comment while it’s in transit, in order to embarrass you) and authenticity (so you can have high confidence that the comment is going where you intended it to).
Frank Rudolf
Well, Things changed, on July 2018 , Chrome 68 will flag all websites which not having proper SSL .
In other words, sooner or later , Google will force all website owners to have HTTPS on their website.
On July 2018 , more than 60% of the websites will be flagged as Non secured sites, So as much as we do not like it much , Google will lead other browsers to follow adopt to the new restrictions .