Three and a half years ago, Google predicted the day would come when Chrome would warn us all of the security risks of using the web’s seminal HTTP technology to deliver web pages to your browser.
That day is today.
Google’s latest web browser version, Chrome 68, gives new prominence to a broad effort to curtail surveillance, tampering and security risks on the web by showing a “not secure” warning for any HTTP website. Instead, Google wants website operators to use HTTPS, which adds encryption to the connection between your browser and the computer hosting a website.
HTTPS blocks a number of problems, like third parties injecting ads, getting your browser to run software to mine someone else’s cryptocurrency or sending you to fake websites used to steal your passwords. For details, check CNET’s FAQ on Chrome’s “not secure” warning for HTTP websites.
Google announced the long-planned security warning in a blog post Tuesday. “This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager.
The “not secure” warning doesn’t indicate that you’ve been hacked — just that you’re not as protected if someone tries to do so.
It’s not an academic issue, though — when you’re on a network connection in a coffee shop, airplane, airport or hotel, middlemen can inject advertisements, monitor your communications or tamper with websites. And Chinese and Egyptian governments have exploited HTTP connections to punish websites they don’t like and to inject ads.
HTTPS now is commonplace
HTTPS once was rare, protecting logins and e-commerce transactions. But now it’s common, protecting 85 percent of Chrome traffic from personal computers and 76 percent on Android, Schechter said. Most of the big sites you might use daily — Facebook, Yahoo, Google, Twitter, YouTube, Reddit — have long offered HTTPS.
But it’s not universal. Only five-sixths of the top 100 websites steer you to their HTTPS websites even if you type in an HTTP address, Google said. And it’s not hard to find sites like ESPN that send you to an unencrypted HTTP connection even if you specifically type “https://www.espn.com” into your browser’s address bar.
Troy Hunt, an independent security researcher and HTTPS advocate, posted a list on Tuesday of the top websites that still connect with HTTP if you request it. The biggest is Chinese search engine Baidu, though it will provide its site over HTTPS if you specifically request the encrypted version of the sites. Hunt’s Why No HTTPS? website also lets you look country by country to see the top websites that aren’t yet protected.
Cloudflare, a company that helps websites distribute their content and another HTTPS advocate, tweeted on Sunday that 542,605 of the million most popular websites are still available on HTTP and don’t redirect you to their HTTPS versions.
“We’ve been plodding along standing up billions of websites and usually having no idea whether requests are successfully reaching the correct destination, whether they’ve been observed, tampered with, logged or otherwise mishandled somewhere along the way,” Hunt said in a blog post Tuesday. “We’d never sit down and design a network like this today, but as with so many aspects of the web, we’re still dealing with the legacy of decisions made in a very different time.”
Chrome is the top browser, accounting for 59 percent of website usage, according to analytics firm StatCounter. So its choices carry a lot of weight.
Other browsers don’t yet show the “not secure” warning for HTTP connections. But one, automatically upgrades HTTP connections to HTTPS connections when they’re available.
Protecting website communications with HTTPS used to be more difficult, in part because it cost money. But an effort sponsored by Google, Mozilla, Facebook and others called Let’s Encrypt has made it free to obtain the necessary certificate. It still takes work to update a website to HTTPS, though.
Next phases in Chrome’s HTTPS plans
Google’s push against HTTP and in favor of HTTPS has been gradual. It began with warnings when HTTP was used on web pages where you could share sensitive information like passwords and credit card numbers. Today’s warning, shown in black wording on the left side of Chrome’s address bar, is for any HTTP website.
The change that arrives Tuesday with Chrome 68 isn’t the last, though. Chrome 69 in September will change from today’s green-word “secure” label for HTTPS websites to less obvious black. Chrome 70 in October will change the “not secure” warning to more noticeable red words. And a later version will remove the “secure” label for HTTPS websites, reflecting Google’s belief that HTTPS encryption should be the norm, not something you should have to check for.
“Our eventual goal,” Schechter said, “is that the default unmarked state is secure.”
First published July 24 at 5 a.m. PT.
Update, 8:02 a.m. PT: Adds background on the HTTP transition from Troy Hunt and Cloudflare. Update, 10 a.m. PT: Adds comment from Google and details on how much Chrome traffic is encrypted today.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.