Google is set to change the way websites secured with the HTTPS protocol appear to users of its Chrome browser, in the next step of its ongoing campaign to promote the use of encrypted communications on the web.
HTTPS was initially used by the likes of e-commerce or banking sites, typically to protect the security of sensitive data, such as the entry account credentials or payment details, but has recently become more widespread, in part thanks to Google’s efforts to shame sites that don’t use it.
Browsers have been marking HTTPS-secured sites with a green padlock for more than a decade, and last year Chrome began marking sites that handle transactions, but don’t use the protocol, as “Not Secure”.
The next step, Google has said, is to eliminate the “Secure” label from HTTPS sites, since HTTPS should be the norm, the company said.
“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue,” Chrome security product manager Emily Schechter wrote in a blog post.
Version 69 of Chrome, coming in September, will change the way web data entry fields protected with HTTPS are marked, replacing the green padlock and the word “Secure” with a simple grey padlock.
At some point after that, Chrome will eliminate the padlock altogether, Google said.
“Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure,” Schechter wrote.
With Chrome version 70, in October, Chrome will also change the way data-entry fields on non-HTTPS websites are marked.
They will be marked as “Not secure” in the address bar, and when a user begins entering information on the page, the warning will turn red, with a red triangle.
The use of HTTPS was initially limited in part due to the complexity of managing the secure systems and certificates involved, but Google said the technology is now “cheaper and easier than ever before”.
Security experts, however, have said the spread of HTTPS can lull users into a false sense of security, since there’s nothing to stop malicious sites from deploying it.
And while it protects information passed to a web page, it does nothing to ensure websites protect that data once it’s in their possession – a fact that has led to a number of massive security breaches in recent years.
Do you know all about security? Try our quiz!