Google Axes Green Padlock Sign from HTTPS Sites
Google in 2016 won the desktop browser war, toppling the erstwhile king Microsoft’s Internet Explorer and as of this writing, its minimalist Chrome browser commands over 60% of the desktop space. As it grew in market share, it is paired by the spread of Google’s influence in the web. The company pushed innovative technologies like spdy and initial support for the revolutionary TLS 1.3. The result is a safer and faster web for everyone that chooses Chrome over other competing browsers.
As far as web technologies go, Chrome needs no further introduction. Due to its overwhelming market share, Google can throw its weight with implementing policies that will not only affect Chrome, but also pressure other web browsers to follow.
Google’s Chrome Security product manager, Emily Schechter in an official Chromium blog announced a massive visual change of how Chrome navigates the web. She said: “Users should expect that the web is safe by default. Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69),”
The venerable padlock has been a staple that represents encryption on the web for ages. It has been adapted by virtually all web browsers since the dawn of the availability of SSL encryption of the 1990’s. It was given more prominence due to various browsers gave it a lick of green color, to improve its visibility at the onset of the improvements of screen resolutions.
Google expects encryption to be the norm in the web, while non-http pages will slowly but surely deprecated. Google Chrome will display a red mark for non-encrypted pages as “insecure” site, giving it visual prominence to alert the users.
Emily added: “Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red ‘not secure’ warning when users enter data on HTTP pages.”
This decision by the Chrome development team reverses the notion that the padlock is synonymous to security. Google wants to steer the web to the direction where the webpages it expects are encrypted by-default, with some few pages (tiny minority) in the Internet remaining as non-encrypted hence marked progressively as insecure.
Craig Stewart, VP for Europe and Asia of Venafi, a cyber security firm stressed: “Many organizations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of. However, as we’ve already seen from the depreciation of SHA-1 certificates, organizations are typically slow to react to warnings of this kind and can often underestimate the task at hand.”
Craig concluded: “Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates.”
Julia Sowells280 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.