sb-eu logo
Story image

Google gears up to mark all HTTP pages as 'not secure'

22 May 2018

From September 2018 Google will no longer display HTTPS pages as secure in its Chrome browser, in a move that further cements its position to make all websites secure by default.

Last week Chrome Security product manager Emily Schechter explained that internet users should expect that webpages are safe by default – and they will only be told when there’s an issue.

Previously, we posted a proposal to mark all HTTP pages as definitively “not secure” and remove secure indicators for HTTPS pages. HTTPS usage on the web has taken off as we’ve evolved Chrome security indicators. Later this year, we’ll be taking several more steps along this path,” Schechter says in the blog.

Google first announced its efforts in September 2016, and has since completed two phases towards making all pages HTTPS secure.

Currently Google Chrome marks all HTTP pages as not secure if they have password of credit card fields. It also shows HTTP pages as not secure when users enter data, and when users visit HTTP pages through incognito mode.

According to a blog from February 2018, more than 68% of Chrome traffic on Android and Windows is protected. 78% of traffic on Chrome OS and Mac is also protected. In July 2018 the third phase will mark all HTTP pages as not secure. In September 2018, all HTTPS will be marked as neutral rather than secure.

Schechter explains what these changes mean for users:

“Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69).”

In October 2018, HTTP will be marked in red as ‘not secure’.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” Schechter explains.

Google also says that HTTPS is now cheaper and easier than ever – some services even offer security certificates for free.

The company also points out that HTTP sites will continue to work and there are no plans to block them in Chrome; the only thing that will change is the security indicators.

“We hope these changes continue to pave the way for a web that’s easy to use safely, by default,” Schechter concludes.

Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login’ phishing email.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
California's CCPA now enforced worldwide
“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” comments ISACA Privacy Group member David Bowden.More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More