Google is going to have its Chrome browser warn users when they visit a page that is unencrypted. This move is to help reduce confusion about the security level of a website. Right now both Firefox and Chrome will throw a warning if you visit a site that uses a self-signed certificate.

Right now both Firefox and Chrome will throw a warning if you visit a site that uses a self-signed certificate. This is because a self-signed certificate is not from a Certificate Authority (CA) and thus the browser has no way to verify that the site is authentic. The problem that arises with this is that if you visit a website that has no encryption at all, which is arguably substantially worse than having a self-signed certificate, neither browser throws an error. This means that if the same spoofed website had no encryption at all, there would be no error shown, and the user would have to notice in their browsers URL that https and the green security logos are missing from the page they are visiting and then take action to leave the site.

This move will help protect users from man-in-the-middle and spoofing attacks, as users will receive a direct warning when they are led to a page that is in plaintext.

A Limited Rollout at First

Google has chosen to not implement this warning on all unsecured pages at first, opting to only warn users when the browser detects a "credit card" field on the page. This will in effect warn users about MITM or phishing pages and force real websites with poor security to adopt better practices or face lost sales. In 2016 it is still common to see poorly developed sites collecting personal information and even transaction information over HTTP, and less technical users have a hard time differentiating between a secure site and an unsafe one.

Google has said that eventually, Chrome will throw a warning for all unsecured websites, which will force many websites to get certificates or effectively be embargoed by Chrome users.

Thankfully there is a free solution now. If your website is not yet encrypted, the Let's Encrypt project allows you to get a website certificate for your site for free.
< last
next >