Chrome users who visit some HTTP sites will be notified, starting in January 201 7, they are on a site that is is is notsecure.
Google said today the browser will begin explicitly labeling HTTP connections which either a password or credit card form as non-secure. The company said the plan is the first step toward marking all HTTP sites as non-secure, even though it didn’t provide a timetable for the undertaking.
A member of Chrome’s Security Team named Emily Schechter, alerted users of the planned move in a post to Google’s Security blog. The company said the move will improve on the browser’s current iteration of a warnung, which generally indicates HTTP connections using a neutral indicator. Its a matter of time before Google marks all HTTP pages as non-secure and use the same small red triangle it currently uses for broken HTTPS sites. “This doesn’t reflect the true lack of security for HTTP connections,” Schechter wrote of the neutral indicator. “When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.” Schechter notes that an academic paper released earlier this summer by Google’s Adrienne Porter Felt and Robert Reeder, among other researchers, spurred the move.
That paper, “Rethinking Connection Security Indicators,” found that most users understood Chrome’s green lock but were unclear what Chrome’s neutral page icon meant. In response, the researchers proposed three symbols appear in Chrome’s URL bar: A green lock for secure HTTPS sites, a gray “i” for insecure HTTP sites, and a red triangle for not secure, invalid HTTPS sites. While the paper said Google was planning to adopt the researcher’s findings, it wasn’t clear when they’d find their way into Chrome until now.
