Google Chrome Plans to Mark All HTTP Traffic as Non-Secure Starting in 2015
Standard HTTP communications provide absolutely no data security. Anyone can analyze packets sent over HTTP using easily-available tools like Wireshark to obtain passwords, credit card numbers, and other sensitive data in cleartext. The HTTPS protocol makes up for this lack of security by layering itself on top of the secure SSL/TLS cryptographic protocol. HTTPS is already used by many sites that handle sensitive information such as PayPal and Gmail. However, most of the internet still operates over HTTP, and Google Chrome hopes to change that.
The Chrome Security Team has proposed that browsers gradually start marking all HTTP traffic as non-secure. All popular web browsers currently display no warnings when accessing content over HTTP, even though it potentially makes users vulnerable to man-in-the-middle attacks and state surveillance.
The Need for HTTPS
Network surveillance and tampering isn’t simply a theoretical threat. Malicious users on public wifi hotspots as well as government agencies such as the National Security Agency have taken advantage of sensitive information sent over HTTP. In fact, this slide from the NSA’s formerly secret XKeyscore program succinctly states why the agency is interested in snooping on HTTP communications.
While the slide is a bit outdated, as sites like Facebook and Gmail now strictly enforce HTTPS, most of the internet still does not.
Web browsers today typically show a lock icon in the address bar to indicate a connection is secure through HTTPS, or some sort of warning icon if there is mixed content on the page. Yet ironically, users aren’t presented with any warnings when a connection is completely non-secure.
The Chrome Security Team categorises transport layer security into three general states:
- Secure (valid HTTPS, other origins like (*, localhost, *));
- Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
- Non-secure (broken HTTPS, HTTP).
Instead of leaving HTTP websites unmarked in any way, Chrome suggests gradually marking HTTP domains from “Dubious” to entirely “Non-secure”. For instance, HTTP sites could initially be marked with an icon such as this one in the address bar rather than the blank page icon:
This icon indicates to the user that there is a potential problem with the website. Clicking on the icon would provide more information. As site owners gradually shift towards using HTTPS (as Chrome hopes), non-HTTPS sites can eventually be marked as completely “Non-secure”:
A red icon with an “X” looks far more serious than a light orange icon with an exclamation mark. However, if Chrome were to immediately start marking all HTTP addresses with the red icon starting tomorrow, most websites on the internet would be categorised as “Non-secure” and show the red icon. The user would see red “X”s everywhere, which could soon desensitise the user to any possible threat (similar to what happened when Windows first introduced User Account Control). Instead, by taking a gradual approach, Chrome hopes to give website owners enough time to switch from HTTP to HTTPS. The Electronic Frontier Foundation (EFF) has also announced an upcoming certificate authority that will provide site owners with free SSL certificates. Perhaps eventually, when HTTPS becomes the standard across the web, it will no longer be necessary to mark HTTPS addresses with a green lock icon. Only HTTP addresses would need any sort of marking.
The Chrome Security Team plans to move forward with this proposal in 2015 and is interested to hear opinions from both developers and users. Discussions are open in the following web standards mailing lists:
Featured image from Shutterstock. XKeyscore slide from The Guardian.