July 23: After months of reminders, Google began marking web pages not running HTTPS with a valid TLS certificates as “Not Secure” in Chrome version 68. Unfortunately, users will see warnings appear on many of the pages they regularly visit because many website operators have still not switched over to using the more secure protocol.
Independent security researchers Troy Hunt and Scott Helme analyzed the list of the top one million websites from Alexa, the Amazon Web Service that compiles a list of the highest-performing websites, and found more than half of the Internet’s most popular sites would be marked as “Not Secure” by Chrome. Even though the percentage of web pages loaded over a secure connection is a little over 73 percent worldwide, the number of well-known sites listed on WhyNoHTTPS? as still not using HTTPS is an eye-opener.
"It's a who's who of the world's biggest websites not redirecting insecure traffic to the secure scheme,” Hunt wrote in a post announcing the WhyNoHTTPS project.
Some of the sites that show up WhyNoHTTPS are well-known media sites, such as the BBC, Daily Mail, ESPN, Fox News, Germany’s Der Spiegel, Italy’s La Repubblica, and Estonia’s Delfi. There are lots of site owners that believe that because they are serving up static pages and have no forms or other sensitive information, they don’t need to use HTTPS.
Aside from the security benefits of protecting user information in transit and preventing pages from being tampered, there are commercial benefits to using HTTPS, since browsers and search bots prioritize HTTPS sites.
No one wants users to think there is something wrong with the site because Chrome says the site is “Not Secure.”
Cloudflare warned that more than 542,000 of the top one million sites do not redirect to HTTPS.
What’s the Big Deal?
The web uses the Hypertext Transfer Protocol (HTTP) to fetch a web page from the server and display it in the web browser. Since the contents are transmitted in plaintext,someone can potentially eavesdrop on the communications between the user and the server, or modify the page to show something else. The secure equivalent, HTTPS, addresses this problem by using digital certificates to encrypt the contents while in transit between the server and browser. HTTPS makes it harder for criminals to tamper with the pages, such as injecting ads, hijacking the browser to run cryptominers, or redirecting users to phishing sites.
There has been a push over the past year or so to move more of the Web to using encrypted connections so that users know that the page they are seeing is what they should be seeing and their information protected from eavesdroppers. Google and other major web browser makers have changed how website addresses are displayed in the browser’s address bar to make it easier for users to tell when a website is properly configured to use HTTPS. Free certificate authorities such as Let’s Encrypt have made it easy to obtain valid certificates and there are many tools that help with certificate management.
“We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying ‘this is coming.’ Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely,” Hunt wrote.
The fact that tech giants such as Amazon, Facebook, Google, and Microsoft moved all their sites to use HTTPS helped normalize the idea that the Web should be HTTPS by default. But there are sites still stuck on HTTP, and Google’s decision to change how Chrome will display HTTP and HTTPS pages will hopefully spur these website operators to finally act.
No one wants users to think there is something wrong with the site because Chrome says the site is “Not Secure.”
Changing Behaviors
With most of the web using HTTPS and Chrome’s interface change, it’s time to retrain users. Users have been taught to look for the padlock icon to verify the page is using a secure connection. No more. The default assumption is that the Web is encrypted, period. The user experience is about warning warning users when the page’s connection is not encrypted.
As with any change, there is going to be some confusion, especially since other browsers are sticking with the old patterns.
Google Chrome version 68 and onward will display “Not Secure” in the address bar if the page doesn’t have a valid TLS certificate. Secure pages--the ones correctly using HTTPS--will still show “Secure” in green (or the “Secure” label and the organization’s name in green if the site uses EV certificates) in the address bar. In September, Chrome version 69 will change the green “Secure” indicator to just display a black padlock icon, and in October, Chrome version 70 will start showing the “Not Secure” warning in red. “Eventually” the padlock will go away for the secure sites.
No more trying to figure out if it was a EV certificate or a DV certificate. Now it is simpler: encrypted or not encrypted.