Google has taken its first step to flag ordinary sites like Wikipedia and CNN with a security warning because they are unencrypted, allowing all data transmissions to be viewed by the prying eyes of hackers or governments.
Google just gave Chrome something of an insecurity complex.
That’s because the company has enlisted Chrome — the No. 2 desktop browser worldwide — in its effort to make secure, encrypted connections on the Web the rule rather than the exception. Encryption scrambles data during transmission to protect users from identity thieves and prying governments. This week, Google built a feature into a test version of Chrome to explicitly warn people about Web pages that are delivered without encryption.
As the feature spreads to mainstream versions of Chrome, it could alarm people who thought Web pages were working fine and could impose new costs on Web site operators who don’t want their users fretting that something is wrong. But in Google’s view, the problem needs fixing.
“We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the Web,” Chris Palmer, a security programmer on Google’s Chrome team, said last month in a mailing list post explaining the plan.
Moving toward encryption by default is a profound, monumental change for the Web. With unencrypted pages, somebody like an Internet service provider, taxi or airport Wi-Fi operator, or malicious hacker offering a “free Wi-Fi” hot spot can read all the data sent to and from a computer. A hacker can also modify a Web page, and an ISP can insert its own advertising. To block against that kind of eavesdropping and tampering, Google encrypted its Gmail connections and search site in 2010, and Yahoo and Microsoft have followed suit.
But countless Web pages aren’t offered over a secure connection, including Wikipedia, Instagram, Craigslist, Imgur, China Daily, CNN and Amazon product pages. Indeed, 55 percent of the Web’s top million sites don’t offer encryption, according to 2014 analysis.
“In general the principle is sound,” said Robert Duncan, a manager at Internet services and research firm Netcraft. But actually turning the principle into practice will mean many difficulties. “For smaller Web sites, many webmasters won’t have any idea what security is and how to go about doing it, even if it’s free.”
Google has been pushing for an encrypted Web for years, but former National Security Agency contractor Edward Snowden’s revelations about NSA surveillance has lent new urgency to the cause. In 2013, Snowden showed the massive extent of government surveillance both through official channels like subpoenas and the interception of communications traffic.
The first step in bringing the encryption plan to fruition came this week with a small first step that will directly affect almost nobody. The bleeding-edge Canary version of Chrome — not stable or tested enough for ordinary users — now offers a manual setting that enables the warning about unencrypted pages. A person visiting an unencrypted page will see in Chrome’s address bar a padlock with a red X over it. As the year progresses, expect the change to spread to mainstream Chrome.
To enable the feature, a person has to install Chrome Canary and activate the “mark non-secure origins as non-secure” option in Chrome’s chrome://flags interface.