November 9, 2016
In January, Chrome will begin placing a “not secure” warning on the left of its address bar for websites that do not use strong HTTPS-connected encryption, which accounts for nearly half of the world’s existing sites. Up until then, Chrome has only posted warnings on HTTPS sites with faulty encryption. Later in 2017, Chrome plans to expand the categories of sites for which it will issue warnings, including any unencrypted pages visited via Chrome’s Incognito and any HTTP site offering downloads.
Wired reports that users will see a “telltale lack of a green padlock” and that many sites that have not yet adopted HTTPS are “set for an unpleasant wakeup call when they fail those tests.”
“This is really important,” said Josh Aas, founder of nonprofit Let’s Encrypt. “There’s no more effective motivator for websites to switch to HTTPS than the browser’s user interface.”
But switching to HTTPS from HTTP isn’t always a simple task, since “many complex media sites with elements like ads and video, for instance, are dependent on those outside data sources to encrypt every piece of content before they can meet Google’s bar.”
When moving its website to HTTPS, Wired needed five months to “iron out issues like insecure third-party content and, ironically, maintaining the site’s high rankings in search results while changing all of its Web addresses.” In late 2014, The New York Times challenged news sites to switch to HTTPS by end of 2015, “but still hasn’t achieved that standard itself.”
Google is pushing HTTPS because it “loves the open Web, where its search engine reigns supreme and its ads rake in the vast majority of the company’s $80 billion a year in revenue.”
Google’s head of security for Chrome Parisa Tabriz says that, to compete with mobile apps, “Google wants Web pages to be able to reach deeper into your computer’s resources … that apps routinely use.” To protect privacy, however, sites need to be secure. “You wouldn’t want a man-in-the-middle to be able to access those things,” said Tabriz, referring to “hackers who intercept and eavesdrop on HTTP data as it’s traveling from your computer to a Web server and back.”
Tabriz’s team is keeping score of “the exact fraction of sites visited through Chrome that are encrypted, broken down by country and operating system.” Among the results, about 51 percent of Windows’ Chrome traffic is encrypted and 60 percent for macOS, whereas only 43 percent of Android is encrypted.
With regard to countries, “60 percent of Windows users’ Chrome connections are encrypted in the U.S., only 47 percent are protected in Turkey and only a third in Japan.” The goal is to make HTTPS so ubiquitous that “users can rightly assume their traffic is encrypted unless they see an alert to the contrary.”