​Got any HTTP page with a search field? Chrome will soon label it ‘Not Secure’


Chrome will soon tell its one billion users that any HTTP page that allows users to type in data is not secure.

The example Google offers highlights that this means any site with a search field will be labelled ‘Not Secure’ unless it’s a HTTPS page. Enabling HTTPS requires the site operator acquire a digital SSL/TLS certificate to ensure data is exchanged over the internet on an encrypted connection.

Fortunately, there are free options, such as Let’s Encrypt, but still there are many sites — including ebay.com, BBC.co.uk, cnn.com and this site — with search fields that don’t work on HTTPS, as Google’s transparency report shows.

Google’s Chrome security team announced in October that it would gradually expand its use of non-secure labels for HTTP sites. It hasn't revealed a timeline for when it will introduce non-secure labels for each scenario, but is giving site owners a few months to prepare before the policy takes effect.

For example, it gave web developers three months warning before the January release of Chrome 56, when the browser began labelling HTTP pages that take logins and payment card details as not secure.

The new policy is likely to have a wider impact, given that pages with user input fields are far more common than those with login or payment fields.

Perhaps acknowledging this, Google is giving developers six months for site owners to prepare for the change, which takes effect in Chrome 62, scheduled for stable release on 24 October.

“Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps,” said Emily Schechter, a product manager for the Chrome Security Team.

Firefox maker Mozilla has rolled out a similar policy for HTTP pages. A website owner in March protested the change after users became worried by not secure warnings on the site’s login page. The owner asked Mozilla to remove the warnings from his site.

As of Chrome 62, the browser will also begin labelling all HTTP sites as non-secure if the user goes into incognito mode. This is to remind people that just because they’ve switched on incognito mode, they’re only stopping Chrome from saving their browsing history, but not preventing others on the network from seeing their traffic.

“Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode,” said Schechter.

Part of the motivation for the HTTP warnings is the introduction of JavaScript-based service workers, which are enabling offline capabilities for browsers and websites and other features that are useful but could pose a threat to user privacy on an unencrypted connection. Since service workers can be used to hijack a connection or spoof a response, Google requires web developers who use these capabilities to do so on HTTPS-enabled server.

Tags GooglechromeHTTPS

Show Comments