MOUNTAIN VIEW, CA - SEPTEMBER 02:  The new Google logo is displayed at the Google headquarters on September 2, 2015 in Mountain View, California.  Google has made the most dramatic change to their logo since 1999 and have replaced their signature serif font with a new typeface called Product Sans.  (Photo by Justin Sullivan/Getty Images)

Default Non-Secure Flag for HTTP Coming to Chrome

Add Your Comments

Google is working to make its flag marking HTTP sites as insecure in Chrome a default warning, according to a Chromium issue tracking page. A flurry of announcements from Google related to Chrome and security have served to lay the ground-work for a change the company said in 2014 was necessary to allow users to make informed web security decisions.

Chrome marks HTTP sites with a red “x” over the “site information” portion of the URL bar to “mark non-secure origins as non-secure” when the currently optional feature is manually enabled by entering “chrome://flags/” in the URL bar. The option was included in updates following Google’s announcement in 2014 that it wanted to shift gradually from HTTP sites being unmarked to a clear indication of non-secure origin.

The company followed by changing its search ranking algorithm to reflect the prioritization of HTTPS soon after, and this past December announced it was adjusted its indexing system to look for HTTPS equivalents of HTTP pages.

Google showed off the new default flag at the Usenix Enigma 2016 conference on Tuesday, following the unannounced appearance of the issue tracking page earlier in January, which makes the company’s approach to signaling non-secure connections clear.

“Our goal is to mark non-secure pages like HTTP using the same bad indicator as broken HTTPS, since this 1) is more accurate than marking such pages as neutral, and 2) simplifies the set of security indicators,” the post says.

While no change has been officially announced, and a Chrome blog post Wednesday detailing the latest browser update makes no mention of it, the Chromium blog introduced a new security panel in its Chrome 48 beta “DevTools.” The new tool allows developers to site administrators to troubleshoot certificate verification, TLS connection, and subresource security.

All US federal government websites will be required to use HTTPS by December 2016, and the Let’s Encrypt program continues to pick up steam, as the organizations and individuals whose content makes up the Internet move towards the new, fast-approaching standard.


Subscribe Now and Get Our Exclusive Report on "The Hosting Infrastructure Ecosystem"

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

Related Forum Threads

Add Your Comments

  • (will not be published)