Google issued a warning to website publishers that any HTTP sites using forms, login fields and other input sections will be flagged as "not secure" by the Chrome browser starting this October.
The move is the natural next step in a series of actions the Mountain View, Calif.-based company has taken to increase online security. In January it started marking HTTP sites that collect passwords or credit cards as not secure in Chrome v. 56. In April, it announced Chrome will also show the “not secure” warning in two additional situations: when users enter data on an HTTP page and on all HTTP pages visited in Incognito mode.
Chrome Cracks Down on HTTP
The most recent warning assured users of its Search Console tool that the October deadline would cover more than originally outlined in April.
Any site asking users to submit any information over an unencrypted HTTP connection in the next version of Chrome — Chrome 62 — will be flagged as not secured.
“Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps," the Chrome team explained in the April announcement.
The current changes reflect those next steps. When users browse Chrome in Incognito mode, they have increased expectations of privacy. However, HTTP browsing is not private to others on the network, Google explained. And security demands are only going to get tougher:
“Eventually, we plan to show the 'Not secure' warning for all HTTP pages, even outside Incognito mode. We will publish updates as we approach future releases, but don’t wait to get started moving to HTTPS.”
With the rising number and frequency of website attacks, the only surprising thing in the announcement is it's taken this long for Google to get tough.
HyperText Transfer Protocol is the protocol over which data is sent between your browser and the website you are connected to.
HyperText Transfer Protocol Secure (HTTPS), scrambles any messages sent using an agreed upon "code" so that no one in between can read them. This keeps information safe from hackers.
Francis Dinha, CEO of Pleasanton, Calif.-based OpenVPN Technologies, told CMSWire that the push to HTTPS is an important step and should help combat issues such as MITM (Man-In-The-Middle) attacks,
"This would eliminate man-in-the-middle (MITM) attack, an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other,” he said.
"One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.”
However, Dinha warns HTTPS only guarantees a secure connection when you’re communicating with "real websites."
“A malicious website can use secure HTTP (i.e., HTTPS), giving you a secure connection while impersonating a legitimate website, enabling them to steal your credentials,” he added.
“Your device can also be infected by malware that can spoof and monitor your data exchange before it’s encrypted. HTTPS does not help in this case either.”
A Time for Action
Like other web publishing companies, CMSWire is taking measures to ensure that the website is secure.
"This is an aggressive but good move on the part of Google. I'm happy to see them doing this, but the timeline could have been longer,” Brice Dunwoodie, president of Simpler Media Group, the parent company of CMSWire.
“Admittedly, we at CMSWire are not yet prepared for the change, but in the dog days of summer, it's certainly spurred us into action and caused some excitement in our IT department."