Chrome will mark HTTP connections to websites as non-secure from January 2017

Pierluigi Paganini September 09, 2016

From January 2017, Chrome will indicate connection security with an icon in the address bar labeling HTTP connections to sites as non-secure.

Google continues its effort to make the web a better place by pushing the adoption of encryption, we left the IT giant in May when it announced the decision to switch on default HTTPS for its free domain service provider Blogspot.

Now Google confirmed that starting from January of 2017 its web browser Chrome will begin labeling HTTP sites that transmit passwords or request the user’s sensitive data (i.e. credit card details) as “Non Secure” to encourage the use of encryption.

A couple of years ago, Google also introduced new rules in its search engine algorithm in order to increase the ranking of websites using the HTTPs protocol.

The company plans to release the Chrome 56 version in January 2017 as reported on the Google Security Blog.

“To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” states the post published by Google.

google- HTTP connections label

The use of Unencrypted HTTP connection exposes users to the risk of eavesdropping, an attacker could execute a man-in-the-middle attack to intercept data in transit and manipulate it.

Starting from the Chrome 56 release, Chrome will flag HTTP pages as “Not secure” by using a neutral indicator even in the address bar of incognito mode, where uses expert more privacy.

“In following releases, we will continue to extend HTTP warnings, for example, by labeling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” reads the post.

This summer, Google implemented HTTP Strict Transport Security (HSTS) on the domain to protect users and prevent them from navigating using the HTTP protocol.

Google confirmed that more than half of the websites visited by users with its Chrome browser are already encrypted.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Google,  HTTP sites)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment