On the Chromium Security web site, Google has put out a proposal for comment that user agents, such as web browsers, should flag all plain HTTP web pages as insecure.
Google has been taking an assertive and aggressive stance on advancing the use of SSL/TLS on the Internet and in strengthening those protocols. In 2014 alone they have:
- Accelerated the schedule for retiring support for SSLv3, a version we now know to be insecure by design
- Pushed for a quicker deprecation of the SHA-1 hash algorithm in favor of SHA-2
- Introduced their own methods of checking for certificate revocation, arguing that standard methods are broken
- They have even suggested that they will boost search engine rankings for sites which use HTTPS
In all these things they have been way ahead of other vendors and probably most of their customers, all of whom tend to move very slowly when it comes to changes in basic protocols such as these.
Google's point in the Chromium proposal is indisputable: HTTP sites provide no data security at all. Shouldn't the user be alerted to this? We have taken to warning against other cases where encryption could be, but isn't provided, such as open Wi-Fi. But the approach so far has been to make a positive distinction for SSL sites, and an even more positive one for EV-SSL web sites, rather than to draw attention to the lack of security in plain old HTTP.
The downside is probably the jarring experience: Undoubtedly the large majority of web pages out there are HTTP, not HTTPS. That means users will start getting security warnings about pages which have always looked normal. We can say this is for their own good, but many users will be confused and/or scared and bother tech support about it.
My real fear is that security warnings will become so common that users will just learn to ignore them. Google isn't about to put up a big interstitial warning when the user encounters one of these pages, as they do with phishing sites, so users will be able to get along fine paying no attention to the change in the address bar.
I sympathize with Google on this, but I think this is a step too far at this time. I'm all for taking whatever measures there are to secure the Internet automatically in spite of the users, which is what Google suggested in the four bullet-pointed proposals above. Marking all HTTP pages as insecure still relies on the user to make a good decision, and it is in fact likely to reinforce bad ones.
It's worth repeating that this is just a trial balloon, not a firm declaration that Google will put such changes into Chrome. They're looking for feedback. Even if I think it's not a good idea, I have to admire their actions.