December 24th, 2014, 17:01 PM
Google wants to turn browser signals of Web encryption upside down
Chrome security engineers have proposed that all websites that don't encrypt traffic be marked as insecure by browsers.
The proposal, which was floated earlier this month, would dramatically change the visual signals in a browser's address bar, which now shows an indicator -- a "lock" icon in some cases -- when a website is encrypted with SSL (Secure Socket Layer) or TLS (Transport Security Layer), SSL's replacement. Those sites' domains are prefaced by https rather than the more common http.
Unencrypted sites do not display any special visual sign.
"We, the Chrome security team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure," the engineers said in messages spread across several discussion forums, including Google's own Chromimum project. "The goal of this proposal is to more clearly display to users that HTTP provides no data security."
Chrome's argument was that, without HTTPS and SSL/TLS encryption, traffic between a user's browser and a website is inherently unsafe. The visual display should explicitly call that out.
"We know that people do not generally perceive the absence of a warning sign," Chrome's engineers wrote. "Yet the only situation in which Web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."
If the changes are made, it would reverse decades of leaving HTTP unmarked, and tagging only those sites that are encrypted or which exhibit some kind of problem, such as suspected malicious websites. Browser users have long been told to look at the address bar for signs of encryption, not for signs of the lack of it.
While Google did not spell out exactly how HTTP addresses would be marked as insecure, it suggested that browser makers take a measured, step-by-step approach in 2015, when HTTP addresses would somehow first be marked as "dubious" and only later be tagged as "non-secure" with in-browser flags. Those would most likely be coded using color or designated with an icon, the practices now used in browsers to peg HTTPS, but the specifics would be left up to each browser developer.
At some point down the line, the signs for HTTPS -- such as the lock icon -- would disappear as encrypted traffic would be assumed as the norm.