Our Blog

HTTP as "Not Secure" - 2 weeks to go

Share

Wednesday, Jul 11, 2018

A date for your diary: 24 July.

In February 2018 the Chrome developers announced that as of Chrome 68 they will mark all HTTP sites as “Not secure”.  In 2 weeks, upon the release of Chrome 68 on July 24, we can expect users to see “Not secure” in the address bar when browsing to *any* HTTP-enabled page.

What can we expect next?

Now that the majority of (popular) websites are HTTPS-enabled the warnings presented to a user have been reviewed.

Indeed, at the start of July 2018, Google achieved HTTPS across 94% of their services.  With everything from Maps to News to Gmail to Drive under the spotlight they are striving for 100% encryption across their services.

The Chrome developers realised it will become increasingly useful to warn a user when an action they are performing is not secure and tone down the alert messages when a page is secure.

The table below shows how the security indicators will change in the Google Chrome browser going forward:

Google’s Chromium blog details the full timeline they are seeking to follow.

What are the implications?

In my first blog on the topic of Chrome adjusting the security indicators I highlighted how web users will be discouraged from using HTTP pages in favour of HTTPS pages.  This is, of course, Google's aim along with encouraging webmasters to migrate to HTTPS.  While Chrome 68 will mark all HTTP pages as “Not Secure” I believe it will be Google’s eventual browser feature to mark all HTTP pages in red colour as “Not Secure” while reducing the security indicators on HTTPS websites that will realise their aims.  The anomaly of a HTTP page will be very apparent to end users.

This change in user behaviour and preference will be significant. 

As organisations see the ratio of HTTPS to HTTP traffic increase following wider adoption of HTTPS they will struggle to identify the potential risk being posed by encrypted traffic.  Data transmitted over secure channels or connections made to command & control servers would remain uninspected due to businesses not adopting the technology to make such assessments.  Having such material slip under the radar is not acceptable.

 

I envisage other browser developers will follow Google's example.

 

You can keep up-to-date with release schedules and launches on the Chrome team's blogs.

Look out for updates as the web moves to a secure web by default.

About the Author

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint’s Security Labs team. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Security Labs teams. Focusing on protecting companies against the...