Google to Label Millions of Sites as Not Secure
In an effort to warn users of online dangers, Google's Chrome browser will soon label standard HTTP-based websites that ask for passwords or credit-card numbers with an "i" for "insecure" right in the URL address bar.
The plan, set to go into effect with Chrome 56 in January, will affect millions of websites. Many newspaper websites, for example, ask users to input sensitive information into form fields, yet don't encrypt that information as it travels over the web. (Tom's Guide is mostly unencrypted, but shifts to the encrypted HTTPS protocol for login pages.)
"Chrome currently indicates HTTP connections with a neutral indicator," a Google blog posting yesterday (Sept. 8) read. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."
Chrome labels properly configured HTTPS websites (the "s" stands for "secure") with a green padlock icon in the address bar; HTTPS sites with misconfigured encryption get a red warning triangle. Plain-vanilla HTTP sites, which transmit all data going to and from the user in the clear, get a boring gray icon of a blank sheet of paper.
That last part's about to change for HTTP sites that ask for sensitive info. For example, one newspaper site in the San Francisco Bay Area invites users to log in with usernames and passwords, and even register with full names, street addresses and dates of birth (three of the four criteria often used to steal identities), all over unencrypted connections.
Beginning in January, those sites' address-bar icons will change from the blank piece of paper to a gray "i" in a circle, accompanied by the words "Not secure," as indicated below.
But that won't be the end of the process. Google plans to also label all HTTP sites viewed in Incognito mode with the insecure "i," although no timetable was given for that. Then, someday, all HTTP sites viewed in any mode, with or without form fields, will get the dreaded red triangle.
"Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS," yesterday's blog posting said.