Chrome is about to start warning users that non-HTTPS sites are insecure


An imminently forthcoming version of Google's Chrome browser will flip the way that browsers convey information about privacy and security to users: instead of discreetly informing users that the HTTPS-enabled sites they're browsing are more secure, they'll flag any non-HTTPS site as insecure, with a series of escalating alerts that will end — at some unspecified date — by displaying an exclamation point inside red triangle and the letters HTTP next to the web addresses of non-HTTPS sites.

The red triangle/exclamation point icon was arrived at after the Chrome team commissioned research around the world to figure out which symbols alarmed users the most.

The increased interest in encrypting all web-sessions is part of a wider movement that includes two EFF-affiliated projects: HTTPS Everywhere (which turns on secure connections wherever possible) and Let's Encrypt (a certificate authority that gives free cryptographic certificates — necessary for secure web connections — to anyone who asks).

It's also related to Certificate Transparency, which catches certificate authorities who issue bogus cryptographic credentials, which allow cyber-arms dealers to create weapons to let governments spy on internet connections.

Last month, two Chinese certificate authorities were outed for issuing bogus certs, leading to browser vendors blacklisting all certs issued Wosign and Startcom in their browsers.

Since she started as a security engineer at Google nearly a decade ago, Tabriz has approached her job as a white-hat hacker with an understanding that security problems are not merely technical but human. After repeatedly finding and fixing the same bugs in the company's code, for instance, she says she became determined to instead fix Google's coders. So in 2010 she and a fellow Googler started Google's "Resident Hacker" program, a crash course in information security training for programmers so they could learn to find, exploit, and patch bugs in their own work.

Tabriz's interest in HTTPS in particular was piqued in 2011, when her colleagues on the security team discovered that the certificate authority DigiNotar—one of the companies tasked with handing out the certificates that authenticate the identity of an HTTPS website—had been breached by hackers. The attackers then used their access to fake encrypted connections to Google sites like Gmail and eavesdropped on visitors. The attack appeared to be the work of the Iranian government, affecting more than 300,000 mostly Iranian victims. For Tabriz, whose father is an Iranian who periodically returns to his hometown of Tehran, the attack carried personal resonance. She remembers reading a comment from one Iranian on a blog post about the incident: "For you guys, a fake certificate means a stolen password or personal information," he wrote. "For me and thousands of other Iranians, it leads to jail, torture or even death sentence."

So when Tabriz took over the Chrome security team in 2014, she put a new focus on not just locking down Chrome but the entire web that users see through it. Google has long fought to advance Chrome's security beyond that of other browsers. Chrome was the first popular browser to implement a rigorous "sandbox"—a security measure that limits how deeply a malicious web page can reach into a user's computer—to automatically install security updates, and to pay bounty rewards in the hundreds of thousands of dollars for information about the browser's security flaws. But Tabriz's HTTPS push meant looking beyond Chrome's own code and pulling up the rest of the web's security to meet its standards.

Google's Chrome Hackers Are About to Upend Your Idea of Web Security [Andy Greenberg/Wired]