Chrome 56: Google starts slapping ‘not secure’ on HTTP payment and login pages
January 29, 2017
Google’s Chrome 56 launch this week ushers in its plan to begin warning users that all HTTP pages are not secure, starting with the pages that collect login detailsor credit-card numbers.
Given Chrome has more than one billion users, this change to Chrome is likely to pressure website operators to at least consider enabling site-wide HTTPS.
Chrome will also call out companies that aren’t doing the basics of protecting sensitive user information by collecting information on an unencrypted connection.
Until now, Chrome only showed a neutral grey indicator on an HTTP page, which Google’s Chrome security team thinks doesn’t accurately represent the total lack of security HTTP offers.
For example, if you’re on a Wi-Fi hotspot, a third-party on that network can tamper with the contents of an HTTP page. HTTPS on the other hand can mitigate the threat of man-in-the-middle attacks, or surveillance techniques.
The new indicator in Chrome 56 and onwards states ‘Not secure’ for HTTP login or payment pages and will eventually apply the same warnings for other HTTP pages. Google is also pushing developers to move to HTTPS to enable apps with access to more powerful hardware features, such as the camera and mic, which cancapture sensitive information.
With this update, Google also paid out $53,837 to security researchers in its bug bounty program for Chrome. Google fixed a total of 51 security bugs in earlier versions of Chrome.
If you visit Google or any of its other pages and click the padlock icon to reveal and view the certificate, it will state the certificate was issued by Google Internet Authority G2 or GIAG2, rather than, say, another large CA, such as Symantec or GoDaddy. It’s not clear whether Google will provide CA services to third-party sites.
As one commenter on Hacker News pointed out, this move gives Google one more key piece of the internet’s infrastructure: “You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the internet.”