Google is planning to label unsafe websites in Chrome

In an article on its Security Blog, Google presents its plans to ex­pli­citly label unsafe HTTP sites in its Chrome browser. Version 56 has been planned for January 2017 and includes a redesign of the address bar. The URL of an un­en­cryp­ted website will be preceded by a 'not secure' warning. The websites pro­vi­sion­ally targeted will be those where credit card details and passwords are trans­mit­ted over an un­en­cryp­ted protocol. So what are the long term con­sequences that the update is likely to have for website owners and users?

If Chrome 56 is rolled out at the beginning of next year as scheduled, web addresses where credit card in­form­a­tion and passwords are trans­ferred over the un­en­cryp­ted Hypertext Transfer Protocol (HTTP), will be preceded with ‘not secure’. Until now, the search engine giant’s browser hasn’t always indicated which web projects transfer data without TLS/SSL cer­ti­fic­ates. The green lock symbol that appears when a site is encrypted isn’t always shown. Even when it was displayed, many users didn’t notice this indicator letting them know whether the website was safe or not. This was proven by a study carried out by Google and the Uni­ver­sity of Cali­for­nia. In sub­sequent versions of Chrome, the warnings will be expanded further. A possible second step is to display the 'not secure' label in incognito mode as well, and to have all HTTP sites showing this symbol since users expect a high level of security. Google may also label all un­en­cryp­ted sites in standard mode, according to state­ments made in blog posts. The URLs concerned will also receive the red warning triangle in the address bar, which until now was only used for mis­con­figured HTTPS websites.

In 2014, Google announced that en­crypt­ing a site where data trans­mis­sion via SSL or TLS takes place would count towards the ranking. Because of this, website owners should sort out a cer­ti­fic­ate for their own project. This is also combined with the fact that trans­ition­ing to HTTPS is becoming even cheaper and easier so now the number of encrypted sites has sig­ni­fic­antly increased over the last two years. The number of Google Chrome users is in­creas­ing too: currently, more than two thirds of global users access the web through Chrome, according to stat­ist­ics from w3schools.

If users are using your browser to access a page, they’re doing more than just simply clicking on an article. The digital fin­ger­print is not the only way that online activ­it­ies can be recorded by un­detec­ted cookies and tracking tools. It’s becoming more and more common for users to leave their in­form­a­tion de­lib­er­ately either in social network posts and forums, or when they subscribe to news­let­ters. In many cases, you need to enter your e-mail address and sometimes you’re asked for even more sensitive in­form­a­tion.

This data (passwords, user data, addresses, or bank details) is generally trans­ferred from the browser to the database of the re­spect­ive website using the HTTP protocol. This protocol has been providing excellent service since the web began, but it can miss an en­cryp­tion of trans­por­ted in­form­a­tion. This means that data packets, which are trans­ferred through an HTTP con­nec­tion and in­ter­cep­ted on their way between the browser and webserver, are in plain text. This makes it a lot easier for cy­ber­crim­in­als to get access to log-in data for your e-mail account, your online banking account, or your home address. By im­ple­ment­ing a SSL/TLS cer­ti­fic­ate, website operators can be sure that all com­mu­nic­ated data is trans­ferred encrypted and is therefore protected from any third parties that wish to get their hands on it.

Since the majority of the internet community seems to have not yet re­cog­nised the im­port­ance of SSL/TLS cer­ti­fic­a­tion for their web project, Google Chrome 56 explains it even better. This com­pletely revised warning system is designed to increase the users’ awareness of the im­port­ance of encrypted data trans­mis­sion and force pre­vi­ously inactive web operators to act. The proposed changes should make this project suc­cess­ful and then Chrome users will avoid sites that are marked as unsafe.

Google might ad­di­tion­ally decide to make HTTPS even more valuable as a ranking factor. While Chrome users receive a new security feature, site owners will decide whether they require SSL/TLS or not. Ambitious web project operators shouldn’t wait until Chrome 56 comes out to make the switch to encrypted data transfer. This is where the motto 'the sooner, the better' applies.