“Mummy, I’m Afraid of the Man in the Monitor”
January 30, 2016
The BolehVPN team will be away over Chinese New Year
February 3, 2016
Show all

Google’s Move To Shame Unencrypted Sites

Google dreams of a world where all of its wide web is encrypted, and all information on the Internet is protected through secure channels. Yes, although they are often busy being the most popular search engine giant on the net, Google does to some extent share the security concerns of their 1 billion site visitors.

Google reportedly plans to introduce a feature in its Chrome browser which warns users by displaying a red X over a padlock icon in the URL bar when they land on a HTTP site. While people might observe a warning sign, they do not perceive the absence of one. This step by Google to mark unencrypted websites with a ‘scarlet letter’ is only an optional feature for now in Chrome, but it is believed that soon Google will start shaming unencrypted websites, alerting users when they are on a site that could be intercepted by hackers as the company looks to clamp down on cyber criminals exploiting insecure sites.

pc world

Source: PC World

 

HTTP vs HTTPS

Currently, when a page is unencrypted in HTTP form, (Hyper Text Transfer Protocol), Chrome merely displays an icon of a white page. If the page users are accessing is encrypted, a green locked padlock will appear. Google announced it wanted the whole of the web to be Hyper Text Transfer Protocol Secure (HTTPS), and if any sites that were otherwise should be flagged, explicitly highlighted and shamed, in order for users to be able to make informed decisions about how to interact with an origin. Communications which are sent over regular HTTP connections are in ‘plain text’ and can be read by any hacker if they succeed in breaking into the connection between your browser and the website. Clearly, this is a great danger if your communication is on an order form and includes your credit card details or social security number.

On the other hand, HTTPS makes sure that your information is protected from bad guys such as cyber criminals, who are after your passwords, messages and other data. The HTTPS protocol adds an extra layer of protection against snooping and interception, and hopefully allow web users to be less vulnerable to hackers by encouraging websites to implement HTTPS encryption to scramble data passing from media-viewing devices to online addresses. Moreover, HTTPS functions to deflect fake versions of websites that could also be used to trick you.

 

Who’s on board?

In fact, this move has been something Google proposed since 2014 on their Chromium Security website. However, these steps towards aiming for a more secure Internet for everyone does not come from Google alone. There have been companies and organisations who disagree with the current way of the Internet, and have joined forces to push for more encrypted sites and backing the Encrypt All the Things campaign, which calls for more network and data protection from unauthorized surveillance.

encrypt all

Source: Encrypt All the Things

“HTTP provides no data security,” Google software engineer, Chris Palmer, had posted on the Chromium Project site in December 2014 when first announcing the company’s proposal to implement the new feature in Chrome. “The goal of this proposal is to more clearly display to users that HTTP provides no data security.” he noted. Palmer also went on to say “We all need data communication on the Web to be secure (private, authenticated, untampered)”.

 

What’s in it for the web developers?

Besides being rewarded with a green lock visible on the browser, signifying the security of their site, web developers who follow guidelines to up the security of their sites will possibly have their sites given higher search rankings above less secure entities. Google’s Webmaster trends analysts, Zineb Ait Bahajji and Gary Illyes, stated in a blog post “We’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal”.

 

Drawbacks

Although generally speaking, nudging more sites to make website encryption the norm is great news to hear, this move does have drawbacks of its own. Albeit Google has insisted that its plan to introduce the new feature in Chrome will not break plain HTTP sites but merely introduce a new security alerting capability, however the company has mentioned little regarding the expenses that web developers might have to incur to obtain the Secure Sockets Layer (SSL) certifications needed to implement HTTPS. Downplaying the concern, the company mentions how “some providers offer free or inexpensive certificates that Websites can use”. Branding the HTTP sites with a bright X might not go over well with web developers, especially for smaller sites.

Undeniably, the large majority of web pages available on the Internet exist in HTTP form, not HTTPS. This would mean that web users could start receiving security warnings on pages which previously have always been browsed on with no trouble, and could cause panic among users and hammer on tech support to address the warnings. On the other end of the spectrum, web users may take these security warnings to be so common that they will learn to ignore them just as before, which would render the whole idea of the ‘branded X’ redundant.

Undoubtedly Google’s underlying goal to mark all HTTP pages as insecure is an effort to encourage a safer Internet for all. However in the end it still depends on the web users to make their own good decision in their browsing habits.

 

For Chrome users who wish to see how the proposed markings would work, the icon is available as an optional flag. Web users can enable it by typing chrome://flags in the URL bar and scroll to ‘Mark Non-Secure as’ and choose the option ‘Mark non-secure origins as non-secure’. This experimental feature works on Mac, Windows, Linux, Chrome OS, and Android.

 

Sources

[1] The Drum

[2] Motherboard

[3] Sputnik News

[4] ZDNet

Leave a Reply

Your email address will not be published. Required fields are marked *