google Google Will Soon Shame All Websites That Are Unencrypted

[Reefa]

Google wants everything on the web to be travelling over a secure channel. That’s why in the future your Chrome browser will flag unencrypted websites as insecure, displaying a red “x” over a padlock in the URL bar.

 

With this upcoming change in Chrome, Google makes it clear that the web of the future should all be encrypted, and all sites should be served over HTTPS, which is essentially a secure layer on top of the usual HTTP web protocol. Several companies and organizations have been pushing for more encrypted sites as part of a campaign to “Encrypt All The Things,” which consists of promoting more websites to abandon the traditional, less secure HTTP protocol and adopt HTTPS.

 

Currently, Chrome displays only an icon of a white page when the website you’re accessing is not secured with HTTPS, a green locked padlock when it is, as well as a padlock with a red “x” on it when there’s something wrong with the HTTPS page the user is trying to access. The change will draw even more attention to the sites that are potentially insecure.

 

The internet giant quietly announced this plan back in 2014, when one of the members of the Chrome Security Team sent out a proposal to mark all HTTP websites as “non-secure.”

 

“The goal of this proposal is to more clearly display to users that HTTP provides no data security,” Google’s Chris Palmer wrote.

 

On Tuesday, during a presentation at the Usenix Enigma security conference in San Francisco, Google pushed the proposal out in the open with much more fanfare, and gave a sneak peek of how it’s going to look. (You can see the little red “x” on the padlock in the URL bar.)

 

The future. More like this coming down the pike. Chris Palmer January 26, 2016

 

 

Parisa Tabriz, who manages Google’s security engineering team, tweeted that Google’s intention is to “call out” HTTP for what it is: “UNSAFE.”

 

The rationale is that on every website served over HTTP the data exchanged between the site’s server and the user is in the clear, meaning anyone with the ability to snoop on the connection, be it a hacker at a coffee shop or a repressive government, could steal passwords, private messages, or other sensitive information.

 

But HTTPS doesn’t just protect user data, it also ensures that the user is really connecting to the right site and not an imposter one. This is important because setting up a fake version of a website users normally trust is a favorite tactic of hackers and malicious actors. HTTPS also ensures that a malicious third party can’t hijack the connection and insert malware or censor information.

 

Google already signaled its preference for HTTPS websites when it called for HTTPS to be “everywhere” on the web during its 2014 I/O conference, and when it announced that it would rank encrypted sites higher in search results. But the internet giant is far from the only big player on the web pushing for more HTTPS. Mozilla and Apple have both indicated that they want more web encryption. And even the US government has taken important steps in that direction, requiring all .gov websites to be HTTPS by default before the end of this year.

 

Google hasn’t said when it will make the HTTP flag the default on Chrome, but a Google employee who asked to remain anonymous because he wasn’t authorized to speak to the press told me that there will be an announcement "soon" and that the intention is to make it default “someday, hopefully.” (A Google spokesperson declined to comment.)

 

But if you want to see how it looks like, you can already turn it on by typing “chrome://flags” in your Chrome browser and then navigate to “mark non-secure as” and selecting “mark non-secure origins as non-secure.”

http://motherboard.vice.com/en_uk/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

 

[DKT27]

What about the small sites who cannot afford HTTPS certificates. Implementing and maintaining a HTTPS site is impossible for small sites.

[straycat19]

39 minutes ago, DKT27 said:

What about the small sites who cannot afford HTTPS certificates. Implementing and maintaining a HTTPS site is impossible for small sites.

 

They will disappear eventually.  Some organizations are already blocking their employees from accessing any website that doesn't support https.  Like many other changes on the net, you have to keep up with the technology or be left behind.  Of course there is always the possibility of a large website with https hosting smaller websites much like Geocities in 1996 where users had a location and address as if it were a house in a city. 

[CODYQX4]

5 hours ago, DKT27 said:

What about the small sites who cannot afford HTTPS certificates. Implementing and maintaining a HTTPS site is impossible for small sites.

Ideally their hosts partners with Let's Encrypt, enabling a one-click SSL install and automatic renewal.

 

They won't need to how to deploy SSL themselves, and there won't be a need to buy an SSL.

 

Once properly installed, make all links redirect to HTTPS. The really small sites are often running on a blogging software. That can be coded in an update to handle the rest.

 

It's not as hard as you think, especially when you take the site owners who no nothing out of the equation. The biggest barrier is cost and installation (and the latter can be automated, and the hosting provider can make this automatic). Nobody wants to buy an SSL for their personal blog, after all.

[vibranium]

Gmail was the first free email service with HTTPS, and now you can't run away from HTTPS in email. Google sets a good trend.