Security news that informs and inspires

Google Puts Plaintext HTTP Out to Pasture

Google is running out of patience with the unencrypted web. Quickly.

For the last few years, Google Chrome has been using various visual indicators, such as a green padlock and the word “secure” in the address bar, to let users know when they’re on a page that uses HTTPS. This helps people know that not only is the traffic between their machines and the site encrypted, but that the site’s identity has been verified.

But in the next few months, Google plans to remove those indicators from its browser and instead will show users a clear warning when they’re on pages that are not using HTTPS. The idea is to build an expectation among users that sites are secure and to throw warnings for the exceptions.

“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69),” Emily Schechter, a product manager on the Chrome Security team, said in a post on the change.

This may seem like just a cosmetic change, but it’s much more than that. Google’s influence on the web can’t be overestimated and Chrome is by far the most popular browser worldwide. By deciding to mark all plaintext HTTP pages as not secure, Google is sending a clear signal to the rest of the web ecosystem: unencrypted connections are a thing of the past. And where Google goes, the web generally follows.

The amount of web traffic served over HTTPS connections has been climbing steadily in the last few years, thanks to a convergence of several factors. A big part of this trend is due to Google’s own work to convert as much of the traffic into and out of its services to HTTPS as possible. The company began transitioning its core services, such as Gmail, search, and others, to HTTPS by default several years ago. Another significant contributing factor was the revelation by former NSA contractor Edward Snowden that the intelligence community had compromised large portions of the Internet. ISPs, large tech providers, and content-delivery networks started or accelerated their work to encrypt their infrastructure around the world in the wake of those disclosures.

And, the long-term work by the Chrome team, Mozilla, and Microsoft, to nudge sites to make their pages HTTPS by default has made a major difference, too. When the browser vendors start telling users that the sites they’re visiting aren’t secure, things tend to change. And change, they have. In early 2015, 39 percent of the pages loaded in Chrome by Windows users were on HTTPS connections. Right now, that number stands at 73 percent, according to Google’s Transparency Report. The numbers are just as impressive on Chrome OS: 45 percent in March 2015 and 84 percent in May 2018.

Moving large chunks of web traffic to secure connections by default is the kind of behind-the-scenes work that doesn’t always register with users but makes a major difference in their day-to-day security, without any effort on their part.

“We hope these changes continue to pave the way for a web that’s easy to use safely, by default,” Schecter said.