Industry News

Google Will Mark HTTP Sites As Unsafe Starting in 2015

image1Google plans to mark all HTTP pages “insecure” to warn users about data security and privacy issues, according to Chromium.org.

As part of the open-source Chromium Projects, the initiative will affect Chrome starting in January. It’s meant to encourage all website owners to switch to HTTPS by default.

“We all need data communication on the web to be secure (private, authenticated, untampered),” Google’s team said. “When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.”

The Google team suggests browsers define three basic states of security:

  • Secure (valid HTTPS)
  • Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors)
  • Non-secure (broken HTTPS or HTTP)

Also, they recommend “a phased approach to marking non-secure origins as non-secure.”

“For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins,” the team wrote.

The Chromium projects include Chromium and Chromium OS, two open-source platforms aiming to provide a safer way for people to use the web.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

8 Comments

Click here to post a comment
  • This is fine providing that the average website user knows the difference between “insecure” and “your privacy isn’t at risk because you’re not submitting anything to this website”. Small companies and non-profit organisations can’t always justify the cost of an SSL certificate on top of hosting and a site build where one isn’t strictly needed. To mark them down in SERPs and discourage users to visit non-SSL sites doesn’t present a fair playing field.

    • The EFF (http://eff.org) will be offering free certificates in 2015. They want to make the process easy and cheap for sites to become secure.

    • There are SSL cert providers running the entire cost spectrum, including free. Cost is not an excuse. The electricity to run a server for a year costs VASTLY more than the cost of an SSL cert for it, even if you use one of the more expensive providers.

    • That playing field is in the process of being leveled:
      http://techcrunch.com/2014/11/18/mozilla-eff-and-others-band-together-to-provide-free-ssl-certificates/

  • Well you can have all the https in the world but with a self-signed certificate you are still not connecting to a SECURE server only the messaging between the servers are encrypted. Perhaps Google has an investment in Verisign?