Some years back, Google’s search engine started giving priority to the encrypted HTTPS connections. Websites that guard their content get an additional benefit over sites that using unsafe HTTP. In a “carrot and stick” example, that’s the carrot: appraising security with better outreach.
Later this year comes the stick. This summer, Google will mark non-HTTPS websites as insecure in its Chrome browser, fulfilling a plan rolled out in September 2016.
Starting with Chrome 68, due to hit the stable distribution channel on July 2018, visiting a website using an HTTP connection will prompt the message “Not secure” in the browser’s Omnibox – the display and input field that accepts both URLs and search queries.
“Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web toward a secure HTTPS web by default,” Google explained in a draft blog post due to being published today and provided in advance to The Register.
Chrome carries 56 percent of the global browser business part across mobile and desktop platforms, Google’s name-and-shame label is expected to be notified by a great lot of Chrome users and by any websites those users no longer visit due to security concerns.
While many websites will be affected, plenty is already in agreement. According to Google, 81 of the top 100 websites use HTTPS by default, over 68% of Chrome traffic on Android and Windows occurs over HTTPS, and over 78% of Chrome traffic on Chrome OS and macOS and iOS flows securely.
Does that mean HTTP websites are insecure?
The answer is, it depends. If you are scanning through the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine. However, if you’re logging into your bank or entering credit card information in a payment page, it’s imperative that URL is HTTPS. Otherwise, your sensitive data is at risk.
When HTTPS fails
HTTPS isn’t entirely 100% reliable, as the Heartbleed vulnerability proved in April 2014. The Heartbleed vulnerability wasn’t necessarily a weakness in SSL, it was a weakness in the software library that provides cryptographic services (like SSL) to applications.
Security teams, network administrators, and operations teams have occupied times ahead. Google’s Chrome development team is quite upset with Symantec as a certificate authority and has announced plans to no more extended trust current Symantec certificates.
In the past 18 months, Google has repeatedly tangled with Symantec over the way it issues transport layer security (TLS) certificates, with Symantec promising to do better.
What is Happening?
Chrome will stop identifying Symantec’s Extended Validation certificates. EV certificates are supposed to convey the maximum guarantee of a website’s genunity because the certificate holder has to go through a strict verification procedure to receive a certificate of that level. Since Google doesn’t trust Symantec’s processes anymore, Chrome will recognize that the site has a certificate, but won’t treat it as EV. replica watch parts knock off watches for sale
From the user’s point of view, that implies that the name of the domain owner will not show in green next to the padlock in the browser address bar. Google is downgrading the higher-class certificates issued by Symantec, for at least a year.