Chrome is about to start warning users that non-HTTPS sites are insecure

An imminently forthcoming version of Google's Chrome browser will flip the way that browsers convey information about privacy and security to users: instead of discreetly informing users that the HTTPS-enabled sites they're browsing are more secure, they'll flag any non-HTTPS site as insecure, with a series of escalating alerts that will end -- at some unspecified date -- by displaying an exclamation point inside red triangle and the letters HTTP next to the web addresses of non-HTTPS sites.

The red triangle/exclamation point icon was arrived at after the Chrome team commissioned research around the world to figure out which symbols alarmed users the most.

The increased interest in encrypting all web-sessions is part of a wider movement that includes two EFF-affiliated projects: HTTPS Everywhere (which turns on secure connections wherever possible) and Let's Encrypt (a certificate authority that gives free cryptographic certificates -- necessary for secure web connections -- to anyone who asks).

It's also related to Certificate Transparency, which catches certificate authorities who issue bogus cryptographic credentials, which allow cyber-arms dealers to create weapons to let governments spy on internet connections.

Last month, two Chinese certificate authorities were outed for issuing bogus certs, leading to browser vendors blacklisting all certs issued Wosign and Startcom in their browsers.

Since she started as a security engineer at Google nearly a decade ago, Tabriz has approached her job as a white-hat hacker with an understanding that security problems are not merely technical but human. After repeatedly finding and fixing the same bugs in the company’s code, for instance, she says she became determined to instead fix Google’s coders. So in 2010 she and a fellow Googler started Google’s “Resident Hacker” program, a crash course in information security training for programmers so they could learn to find, exploit, and patch bugs in their own work.

Tabriz’s interest in HTTPS in particular was piqued in 2011, when her colleagues on the security team discovered that the certificate authority DigiNotar—one of the companies tasked with handing out the certificates that authenticate the identity of an HTTPS website—had been breached by hackers. The attackers then used their access to fake encrypted connections to Google sites like Gmail and eavesdropped on visitors. The attack appeared to be the work of the Iranian government, affecting more than 300,000 mostly Iranian victims. For Tabriz, whose father is an Iranian who periodically returns to his hometown of Tehran, the attack carried personal resonance. She remembers reading a comment from one Iranian on a blog post about the incident: “For you guys, a fake certificate means a stolen password or personal information,” he wrote. “For me and thousands of other Iranians, it leads to jail, torture or even death sentence.”

So when Tabriz took over the Chrome security team in 2014, she put a new focus on not just locking down Chrome but the entire web that users see through it. Google has long fought to advance Chrome’s security beyond that of other browsers. Chrome was the first popular browser to implement a rigorous “sandbox”—a security measure that limits how deeply a malicious web page can reach into a user’s computer—to automatically install security updates, and to pay bounty rewards in the hundreds of thousands of dollars for information about the browser’s security flaws. But Tabriz’s HTTPS push meant looking beyond Chrome’s own code and pulling up the rest of the web’s security to meet its standards.

Google’s Chrome Hackers Are About to Upend Your Idea of Web Security [Andy Greenberg/Wired]

Notable Replies

  1. I'll have a drink for all you call center folks that get to explain this to panicked users.

    Stay strong :muscle:

  2. Of course, the irony of this post is that when I clicked through Feedly to read it, it directed me to the non-HTTPS version of BoingBoing. Maybe time to redirect all non-HTTPS requests accordingly?

  3. I realise plain HTTP will have to be deprecated at some point along the road to the Security Promised Land, but I have all sorts of vague misgivings about this.

    As Israel_B very rightly says, conflating HTTPS with secure sites is misleading. This warning will train users to think that certificate problems are a sign of malware, rather than an operator who lacks the time / money / expertise to maintain a certificate. Meanwhile, most actual malware will continue to go unflagged by Chrome, and in a world where lots of sites display warning messages, users will read the absence of warnings as a clean bill of health. So although the goal is to secure users against (mainly) state intrusion, the effect could be that this, and all other types of web-based evil, are implicitly blamed on church and model railroad club websites.

    tl;dr The headline could just as well read "Chrome is about to start warning users that amateur websites are insecure".

  4. Oh cool. So now I need to pay for a certificate to run my blog. :expressionless:
    Let's Encrypt only works with sites where you have shell access.

    I do nothing but advocate for more encryption. But HTTPS is not just encryption, it's also a racketeering scheme for third-party identification.

    You're not the internet police, Google. Knock it off.

  5. Hopefully Google/Chrome has the guts to start flagging CDN's bogus man-in-the-middle SSL certs. Most people don't realize that many CDNs fundamentally break the HTTPS/SSL system in the very way that SSL is supposed to prevent.

    Not to mention all the ads, malware, and other bad actors that use CDNs to get around being blocked. I hate having to clear 5 random CDNs from my browser block just to view a webpage. ugggh. HTTP 2 makes the only real benifit to CDNs reduced server load and geographic distribution. With HTTP 2/HTTPS we no longer see blocking connections or the restrictive connection limit per domain, which was one of their original primary advantages.

Continue the discussion

71 more replies