The Chromium security team is ready to unleash their latest gift to Internet users this new year, notifying users that HTTP connections are insecure and inform users that HTTP connections provide no data security. Google’s vision is that one day HTTPS and encrypted web connections become commonplace.
In a blog post written on the Chromium Project website, the company proposed that user agents (UAs) begin to gradually change their experience towards HTTP traffic noting it’s insecure and display “non-secure origins as affirmatively non-secure.” In the blog post the Chromium team continues saying “the goal of this proposal is to more clearly display to users that HTTP provides no data security.”
“We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin,” the Chromium team continued.
Internet users often compromise between security and useability while online, and Google hopes to change such. The company suggests browsers begin to indicate that a site is insecure similar to the way browsers currently communicate a website is secure, with the lock or green bar set in place. Effectively it will communicate the opposite message to the end user.
The company continues noting HTTPS effectively helps deter web-based attacks noting man-in-the-middle attacks, among countless other security risks presented with insecure HTTP.
“We know that people do not generally perceive the absence of a warning sign,” the Google Chrome Security Team wrote. “Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP.”
Chromium’s security team suggest browsers define the three basic states of transport layer security (TLS):
- Secure (valid HTTPS, other origins like (*, localhost, *))
- Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors)
- Non-secure (broken HTTPS, HTTP)
Google encourages user agent vendors to take a phased approach to implemented such changes given their users needs and design constraints.
“Generally, we suggest a phased approach to marking non-secure origins as non-secure,” the Chromium security team writes. “For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.”
Google’s latest actions will likely push more sites to HTTPS, as the search engine has been actively encouraging this year by prioritizing sites that secure their users connection.
“We all need data communication on the web to be secure (private, authenticated, untampered),” the Chromium Security Team continued. “When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.”
Google intends to deploy the tactic in their Google Chrome browser in 2015.