Chrome is getting serious about websites that don’t use encryption. The next version of Chrome will include a new warning for unencrypted login sites, according to a post today on the Google Security Blog. Chrome 56, which is planned to launch in January, will mark HTTP login pages as “not secure” in a window next to the address bar. Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.
The post also lays out Chrome’s long term plan for discouraging unencrypted web connections. In the years to come, the team plans to warn Chrome users away from all sites served over unencrypted HTTP, beginning with Incognito mode “where users may have higher expectations of privacy.” Planned changes include labeling all HTTP pages with the red triangle warning symbol, currently only used for irregularities in HTTPS.
“Chrome currently indicates HTTP connections with a neutral indicator,” writes Emily Schechter of the Chrome Security team. “This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.” That weakness can be used to inject malware seamlessly into unencrypted web traffic, commonly known as an injection attack.
A 2015 survey found roughly a third of web requests were served over HTTPS, and that percentage has certainly grown in the months since the survey was conducted. Google has also pushed for encryption on its own products, and as of March, roughly three-quarters of requests from Google products used HTTPS.