Chrome to Label HTTP Pages with Password or Credit Card Fields as Not-Secure
Google announced today that Chrome 56 will start labeling HTTP pages that feature a password or credit card form as not-secure due to their sensitive nature. The changes will come into effect starting January, 2017.
Chrome to warn when you visit insecure websites
In a post on Google’s security blog, Emily Schechter informed users of the upcoming changes. The company has said that this is the first step toward marking all HTTP sites as non-secure. In the following releases, Google also plans to extend these HTTP warnings to label HTTP pages as “not secure” in the Incognito mode. However, the blog post didn’t share any specific timeline for that planned change.
“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” the post shared.
Schechter noted that studies have shown that while most users understand Chrome’s green lock, they are unclear about the browser’s neutral page icon. Researchers had proposed Google to introduce clear warnings to help users learn about potentially dangerous sites. They also noted that if notifications were used too frequently, users become blind to them. To solve the dilemma, Google decided to label HTTP sites more clearly and accurately without sending explicit warnings.
To bring the idea forward, the company has decided to take “gradual steps, based on increasingly stringent criteria.” A plan that it will initiate in January 2017.
To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.