It’s one small step for Chrome, one giant leap for web security
Chrome 68 will be made available for Android, Linux, macOS, and Windows from today – complete with a new interface designed to steer users away from insecure sites.
The latest iteration of Google’s freeware browser sees the company follow through with its promise of marking all HTTP sites as “not secure”.
The tech giant confirmed its intentions back in February, with Chrome security product manager Emily Schechter stating that HTTP pages will specifically be flagged as insecure.
Prior to Chrome 68, visitors to HTTP sites were presented with a less obvious alert icon that required a click for more security information.
This might seem like one small step for Chrome, but the move is being hailed as a giant leap for web security, as it now effectively forces site owners who have previously failed to embrace the encrypted HTTPS protocol to do so – or else risk a sharp dip in traffic.
“Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default,” said self-described “green lock evangelist” Schechter.
“HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”
S for ‘secure’
Hyper Text Transfer Protocol Secure (HTTPS) is an extension of HTTP – the protocol over which data is sent between browsers and websites.
With HTTPS, communications between browsers and websites are encrypted with Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL).
These security protocols use an asymmetric system to encrypt communications between a client and a server, protecting against eavesdroppers and tampering of the communication.
According to Schechter the transition towards a safer web has been continuing apace. As of February more than 68% of Chrome traffic on Android and Windows was protected, she said. For Chrome traffic on Chrome OS and Mac, this figure stood at over 78%.
While this growing level of encryption is certainly good news, analysis from security researcher Scott Helme indicates that more than 60% of the Alexa top one million sites were still serving their content over HTTP as of February.
More recent data from Cloudflare puts this figure at 54%, indicating that there has been a major improvement in migration to HTTPS over the past five months – but there’s clearly still a long way to go.
However, with Chrome enjoying 59% of global browser market share, site owners who have been slow to transition to HTTPS will no doubt step up a gear once the ‘not secure’ tag starts appearing across their web properties – and it will certainly be interesting to compare today’s figures with those in a year.
Do I need HTTPS?
One common misconception is that sites only require HTTPS if they include login forms or handle sensitive information, such as financial transactions. However, this is not the case.
As outlined on this site, HTTPS protects more than just form data. It keeps the URLs, headers, and contents of all transferred pages confidential, while protecting sites against attackers looking to inject scripts, images, or ad content.
To enable HTTPS, site owners need to obtain a certificate from a Certificate Authority (CA).
Obtaining a certificate is a relatively straightforward process. What’s more, a certificate can be obtained for free through the non-profit CA, Let’s Encrypt.