Google’s Chrome browser has flipped its security strategy today, no longer rewarding encrypted sites with a “Secure” label but instead flagging unencrypted ones to warn users. For the past two years, Chrome has highlighted which sites use encryption for personal data with a legend in the address bar.
That has been a nudge to site owners to try to hurry up on safer browsing and personal data sharing. Now, though, Google is taking the opposite approach. Rather than a carrot to encourage data security, it’s switching to a stick.
As of Chrome (68), HTTP pages – that is, pages which don’t encrypt all data shared – will have a “Not secure” legend placed next to their URL in the address bar. For the moment, HTTPS sites will still get their “Secure” label. However, that’s changing too.
Come September 2018, another Chrome browser update will remove that “Secure” badge altogether. “Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure,” Google says, “and the default unmarked state is secure.”
Things will get even more obvious in October. If unencrypted websites accept user data entry, the “Not secure” legend will turn red, with a red warning triangle when the user starts typing. Chrome has already been flagging unencrypted pages as “not secure” when people enter their data on an HTTP page, as well as on every HTTP page visited when the browser is in its Incognito “private” mode.
It’s not the only move the Chrome team has made in recent months to improve browser security. Back in June, the app began blocking browser extensions if they were installed outside of its own web store. That, the company said, was in reaction to user complaints: the majority of problems reported by Chrome users about extensions was about those installed from sources other than the official extension store.
The previous month, meanwhile, Chrome (67) set its sights on ousting weak passwords. That included pushing the adoption of WebAuthn, which supports USB keys and biometrics as secure login methods for webpages.