Google proposes non-HTTPS website security alerts on Chrome

[Reefa]

Engineers working on Google Chrome are proposing a warning system for web users about to visit a non-HTTPS website in order to improve web security.

The proposal is suggested on a Chrome engineering page and is being discussed by groups at Mozilla and the World Wide Web Consortium.

The engineers argue that, while the system may present challenges in that people often dismiss pop-up security alerts, the adoption of HTTPS should be embraced by the internet community.

"We, the Chrome Security Team, propose that user agents gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015," they said.

"The goal of this proposal is to more clearly display to users that HTTP provides no data security."

The current system puts users at a disadvantage, according to the post, because no security information usually suggests no security. This must change as web users face a range of information attacks.

"We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web," they add.

"We know that people do not generally perceive the absence of a warning sign. Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."

Google revealed in the summer that websites using HTTPS are rewarded with higher search result rankings.

Source

[banned]

Engineers working on Google Chrome are proposing a warning system for web users about to visit a non-HTTPS website in order to improve web security.

Most other browsers already warned the user when submitting an insecure form. But of course everyone disabled that annoying warning the first time they saw it, without understanding what it really meant..

Whatever they do will need to be something less intrusive, such as a yellow warning in the address bar for example. I certainly don't want to see a pop-up warning for every non-HTTPS site I visit... (which is probably like, 99% of sites I visit)