Google announced its plans to make HTTPS protection the standard unmarked state for web pages in an upcoming version of Chrome.
On 17 May, Chrome Security product manager Emily Schechter unveiled two security indicators that Google intends to incorporate into its web browser. The first will involve removing the "Secure" wording from HTTPS-protected pages, effectively making HTTPS the default unmarked state for web pages. Schechter said that change is expected to roll out in September 2018 with the release of Chrome 69.
One underlying implication of removing the “secure” tag is that, while HTTPS signals that web pages are using encryption, if they do not use it properly, they may or may not be entirely safe. For example, attackers can hijack encrypted connections and use them for eavesdropping, phishing and even data exfiltration. The overall security of these HTTPS machine identities depends on how strongly they are being created and how carefully they are being implemented.
The second security indicator will likely activate a month later with Chrome 70. As part of that change, Google will display a red "Not Secure" warning whenever users begin entering data into any HTTP page. This overt HTTP shaming will help drag the world, kicking and screaming, into the age of encryption.
Click here to see an example.
Per Schechter's blog post on the matter, Google hopes "these changes continue to pave the way for a web that’s easy to use safely, by default." But it might not always be easy. Craig Stewart, VP of cyber security company Venafi, thinks it could be particularly difficult for administrators charged with updating their websites' certificates.
"Just the task of discovering these [pages marked “Not Secure”] and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes," Stewart said, as quoted by Computer Business Review. "Unless organizations are able to identify where their HTTP certificates are, and then have the flexibility to revoke and replace these with HTTPS certificates, they will be faced with customers, partners and prospects refusing to access a seemingly insecure site. It's those sites that do not use HTTPS that should be brought to our attention so that we do not use them."
Acknowledging these difficulties, Stewart recommends that organizations investigate solutions that are capable of automatically discovering their certificates and monitoring them for abuse.