Starting Tuesday, you’re going to see a rash of “not secure” warnings thanks to a new version of the Google browser that flags unencrypted sites.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, is about to get a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and of course your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
- Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
- Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
- Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warnedthat tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others who aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”