Unsecured Website: Google Chrome 68 alert and puts pressure:
The Hypertext Transfer protocol allows the Web browser to retrieve a Web page from the server that hosts it. HTTP has worked well, but there is a problem: it does not protect communications with encryption blocking interceptions and forgery.
That’s why Google, Mozilla and other tech industry allies are encouraging websites everywhere to embrace HTTPS. And that’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn users every time they load an unencrypted website.
Chrome will display the words “unsafe” next to the website in the address bar if it is not in HTTPS. The warning is wide enough, but users should not panic. It should primarily encourage website operators to switch to HTTPS to avoid being associated with a risk for personal data.
And for that, Chrome can count on its considerable weight on the Internet. Google’s browser accounts for 59% of web traffic, according to Statcounter, and Chrome has exceeded one billion users in 2015.
Problem about HTTP:
HTTP has served the Web well, but it is vulnerable to all sorts of problems from anyone who controls the network you use. This includes in-flight Wi-Fi, cafes, hotels and, of course, your ISP.
Using HTTP for a website rather than HTTPS has constantly been elaborate, said by Nick Sullivan, at Cloudflare. “All the interactions you have with an unencrypted site are broadcast to an unknown set of companies in arbitrary locations around the world.This poses a significant privacy and security problem because the content of the site can be changed in the user does not know it, allowing intermediaries to place advertisements, trackers or malware on websites. ”
Troy Hunt, an independent security researcher, made a video listing possible threats on HTTP Web sites. Malicious actors can thus:
- Insert advertisements or other content that does not appear on the original website, which Comcast did for copyright warnings and for modem update pop-ups.
- Inject invisible software that exploits cryptocurrency for the benefit of a third party, as practiced by a Starbucks store in Argentina in 2017.
Governments controlling the Internet infrastructure of their country also have other possibilities. The Chinese “Great Cannon” used unencrypted HTTP associates to turn visitors to the Baidu website into unintentional attackers of the Github programming site. And Egypt has injected commercials and runcryptocurrency extraction software on Internet computers, according to an Egyptian anti-censorship association.
China and Egypt may seem like distant examples, but the US authorities are also not enthusiastic about encryption. FBI director Christopher Wray warned in July that technology companies that do not respect his will to weaken encryption could be forced by law.
Chrome users see on an HTTP website:
Chrome changes have been gradual. Google announced its intention to warn of the risks of HTTP sites in 2016. It was in February that it warned that the security notification would be displayed in Chrome from July.
Currently, if you visit an HTTP website, Chrome displays an “i” icon to the left of the address, indicating that more information is available. If you click on it, Chrome says “Your connection to this site is not secure”. This is not particularly alarming, without being as reassuring as the green padlock and the word “secure” in the case of an HTTPS connection.
Starting on Tuesday with Chrome 68, an HTTP connection will display the words “unsecured” next to the info icon instead.
Then Chrome sixty nine, expected in September, will spotlight that secure HTTPS connections are the normby giving up the green colour for the padlock icon and the phrase “comfy”. Will be displayed instead a black lock less visible, specified Google in May. Later, this lock will also disappear, the HTTPS is considered ordinary.
Finally, in October, Chrome 70 will take a more aggressive stance on unencrypted HTTP sites by replacing the black “unsecured” warning with a more alarming red color.
“Some people simply do not want to do the work to secure their site, and at the same time, they do not want to let their visitors know that it’s not secure,” says the director of Let’s Encrypt.