To protect website visitors from exposure to hackers who routinely exploit poor security protocols in websites with HTTP certificates, Chrome will start marking all HTTP sites as “not secure” from July this year.
Chrome has started offering new tools and mixed content audits to website developers to help them migrate their sites from HTTP to HTTPS in the coming days.
HTTPS is the latest website security certificate which assures users that they are on a safe website and that any information they send to the site is well-protected. As such, any website carrying the HTTP certificate or Secure Hash Algorithm (SHA-1) may not be able to completely secure confidential customer information. SHA-1 is an outdated encryption algorithm that has been known to be insecure since 2005. The modern security standard is the SHA-2 which all browsers now support.
Fortunately, popular browsers like Google Chrome are now displaying warnings to users mentioning some websites as insecure. When users visit secure websites, they can now view the green padlock on the address line for HTTPS transactions, which confirms that the site is secure.
This initiative by Google has ensured that 81 of the top 100 websites on the web are now using HTTPS by default, over 78% of Chrome traffic on both Chrome OS and Mac is now protected, and over 68% of Chrome traffic on both Android and Windows is now protected.
However, in a recent blog post, Emily Schechter, product security manager at Google Chrome, said that in order to protect website visitors from being exposed to security vulnerabilities in the remaining HTTP-certified websites, Chrome will start marking all HTTP sites as “not secure” from July this year. This new update will be part of Chrome 68 which will be launched around the same time.
“Chrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages.
“The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version,” she said.
“Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP,” she added.
This isn’t the first time that Chrome has announced its intent to ultimately blacklist all websites featuring HTTP certification. In May last year, Google announced that it was aiming to mark all non-HTTPS pages as ‘Not Secure’ in red which will be more noticeable by visitors compared to the small ‘i’ logo which appears on the address line at present.
“Without encryption, governments can more easily survey sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications,” said Wikipedia which enjoys among the highest web traffic among all websites, and implemented HTTPS to encrypt all traffic on its websites in 2015.