Google to Force HTTPS on Even More Webpages
After insisting webpages that collect sensitive information migrate to secure hypertext transfer protocol (HTTPS) no later than January 2017, Google is now poised to impose its will on even more sites and pages in the name of data security.
According to the Google gods, the January edict — which causes Google’s Chrome browser to flash a “Not Secure” message when pages that collect information like credit card numbers and passwords are not served over HTTPS — has resulted in significant decrease in user risk.
“Since the change in Chrome 56, there has been a 23-percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we’re ready to take the next steps,” Emily Schechter of the Chrome Security Team wrote in a post on the Google Security blog.
“The next step” will come in October, when Google plans to release Chrome version 62. According to Schechter, Chrome 62 will flash a “Not Secure” warning on all non-HTTPS pages that collect any kind of information.
Got a newsletter sign-up form? Move it to HTTPS before October. Age verification by birthdate? Put it on HTTPS. If you survey users about preferences or host contests, make sure you do it over HTTPS.
“Passwords and credit cards are not the only types of data that should be private,” Schechter wrote. “Any type of data that users type into websites should not be accessible to others on the network…”
But wait! There’s more.
In addition to warning users pages that collect data are insecure, Google also will flash a “Not Secure” warning when users visit any pages served over HTTP while they’re browsing in Incognito mode.
“When users browse Chrome with Incognito mode, they likely have increased expectations of privacy,” Schechter said. “However, HTTP browsing is not private to others on the network.”
Schechter revealed that eventually Chrome will display a “Not Secure” warning on all pages served over HTTP, whether or not they collect information and regardless in what mode the user browses.
2 Comments
Leave a Reply
You must be logged in to post a comment.
Was that last sentence an error? Did you mean to say “on all pages served over HTTP”? Why would they display “Not Secure” for pages served with HTTPS (I thought that HTTPS was what they wanted).
Oops! Thanks for calling that to our attention, Tom. It’s fixed now. 🙂