Malware

Chrome browser flags all sites that are 'not secure'

Unsecured Web sites will be exposed under Chrome's new policy.
Unsecured Web sites will be exposed under Chrome's new policy.

In a move it calls a milestone, Google's Chrome Browser now lists all unencrypted sites as "not secure", starting with today's release of Chrome 68.

The bbc.com, dailymail.co.uk, espn.com and foxnews.com sites are a few of the many the browser will flag because they do not use HTTPS, the secure version of the Web's underlying data transfer protocol.

Google announced nearly two years ago that it intended to start flagging any site that still em-ploys unencrypted HTTP, and said in February, that July this year was D-Day.

It is part of the company's effort to encourage site owners to adopt HTTPS, a secure encryption standard for data on the move, and build a more secure Web.

The HyperText Transfer Protocol (HTTP) is the foundation of data communication for the Web, and defines how data is passed around it. The "S" in HTTPS stands for "secure" and guarantees that data is encrypted before it travels.

Emily Schechter, Chrome Security product manager, says security has been one of Chrome's core principles since the beginning.

"Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as 'not secure'. This makes it easier to know whether your personal infor-mation is safe as it travels across the Web, whether you're checking your bank account or buying concert tickets. Starting today, we're rolling out these changes to all Chrome users," she says.

Naming and shaming

Troy Hunt, an Australian Web security expert known for public education and outreach on securi-ty topics, has unveiled a Web site called whynohttps.com. It names and shames the world's top 100 Web sites by Alexa rank that do not automatically redirect insecure requests to secure ones.

HTTPS is easy and increasingly ubiquitous, Hunt says. "It's also now required if you don't want Google Chrome flagging the site as 'not secure'. Yet still, many of the world's largest Web sites continue to serve content over unencrypted connections, putting users at risk even when no sen-sitive data is involved."

"We fully support Google's flagging of insecure Web sites as it could potentially create great risk for the user," comments Karl Nimmo, founder and CEO of InTouch, an enterprise-grade process engine that delivers secure, authenticated and audit trailed workflows, through a messaging inter-face.

"There is no good excuse for a Web site to not use the secure HTTPS protocol."

Besides a minor fee, there is no barrier to entry, says Nimmo. "Any business that takes itself seriously should be using HTTPS and a number of other security and encryption protocols in their business and customer environment."

According to Nimmo, HTTP Web sites are vulnerable to attack and attack on its users. "HTTPS does in some way mitigate a few of these risks."

However, the effectiveness will rely on the individual user. "An educated, up to date user should be concerned that the site is insecure. It is particularly important for Web sites that consume per-sonal data. HTTPS is the most secure protocol to use between your browser and the Web site, and is enough for this purpose."

He adds a caveat: "Companies and Web sites cannot rely on this alone and need to make sure other systems, processes and back-ends are protected as well."

Have your say
Youtube play icon