Google Chrome gets ready to mark all HTTP sites as 'bad'

Google's push for all websites to be HTTPS has so far been all carrot. But the company is now using its big stick: a large red cross through every website that doesn't offer an encrypted connection.
Written by Liam Tung, Contributing Writer

The future of Chrome: HTTP sites are unmistakably marked as dangerous.

Image: Liam Tung/ZDNet

A year after Google's Chromium Security team proposed marking all HTTP sites which are non-secure, the company is preparing to implement the policy in Chrome.

As the company highlighted in its proposal in 2014, HTTP sites provide no data security to users, so why don't browsers warn users of this fact, say, by displaying a red cross over a padlock next to the URL instead of the status quo, which is no warning at all?

Google called on Apple, Microsoft, and Mozilla to reverse the situation gradually, so that one day the only unmarked sites are those that have enabled the more secure protocol, HTTPS.

With HTTPS, the connection to users is encrypted and the site's digital certificate has been verified by a third-party certificate authority.

The new marking in Chrome is designed to be the stick to the carrots Google has dangled to encourage wider adoption of HTTPS.

Google argues that properly secured connections can frustrate surveillance attacks on the web. In 2014, it began using HTTPS as a positive ranking signal and in December adjusted its indexing system to crawl for HTTPS equivalents of HTTP pages and prioritize them where they're available.

However, until this week it hadn't announced any progress on its proposal. At the Usenix Enigma 2016 security conference, Google offered a snapshot of the future, showing what The New York Times website would like when Google implements the feature in Chrome.

Chrome users can look at how the markings would work by typing chrome://flags/ in the URL bar and enabling the experimental feature 'Mark non-secure origins as non-secure'.

It is not clear when Google will introduce the new marking system by default in Chrome, though some observers, such as Eric Mill from the US General Services Administration's tech savvy unit 18F, have taken it as a sure sign the plan will proceed.

Google's Chromium issue tracker also indicates it is pressing ahead with the feature: "Our goal is to mark non-secure pages like HTTP, using the same bad indicator as broken HTTPS, since this 1) is more accurate than marking such pages as neutral, and 2) simplifies the set of security indicators."

And as the company prepares to begin marking HTTP as bad, it has also released new tools to help developers deploy HTTPS.

On Tuesday, Google announced Security Panel, a new developer tool in Chrome that will help them identify common issues preventing sites from attaining the green padlock that represents a properly secured connection.

The tool will check the validity of a digital certificate and whether the site is using a secure protocol, cipher suite, and key exchange.

It will also help pinpoint the source of mixed content issues, such as a non-secure image on an otherwise secured page, which today in Chrome will trigger a grey padlock with a yellow triangle.

Read more about Google Chrome browser

Editorial standards