Pages

Wednesday, 23 May 2018

Google details how it will overturn encryption signals in Chrome

secure encrypted internet web browser address bar

Google has fleshed out its plans to upend the way browsers warn users of insecure websites, spelling out gradual steps the company will take with Chrome.

Google has further fleshed out plans to upend the historical approach browsers have taken to warn users of insecure websites, spelling out more gradual steps the company will take with Chrome this year.

Starting in September, Google will stop marking plain-vanilla HTTP sites - those not secured with a digital certificate, and which don't encrypt traffic between browser and site servers - as secure in Chrome's address bar.


The following month, Chrome will tag HTTP pages with a red "Not Secure" marker when users enter any kind of data.

–– ADVERTISEMENT ––
Eventually, Google will have Chrome label every HTTP website as, in its words, "affirmatively non-secure." By doing so, Chrome will have completed a 180-degree turn from browsers' original signage - marking secure HTTPS sites, usually with a padlock icon of some shade, to indicate encryption and a digital certificate - to labeling only those pages that are insecure.

"Users should expect that the web is safe by default," wrote Emily Schechter, a product manager on the Chrome security team, in a May 17 post to a company blog.

 "Since we'll soon start marking all HTTP pages as 'not secure,' we'll step towards removing Chrome's positive security indicators so that the default unmarked state is secure."

In July, Chrome 68 - slated to release the week of July 22-28 - will mark all HTTP sites by planting 'not secure' in the address bar. Google had previously announced that stage of its signage changes.