HTTP Traffic Might Be Marked as Insecure in 2015
A plan is being devised by the chromium security team to actively and explicitly inform users about ‘HTTP’ connections’ not having the capabilities to provide data security. Google is hoping that one day HTTPS secure communication protocol will become commonplace and so widespread that HTTPS secure connections could be unmarked like HTTP connections are right now.
The Chrome Security Team, through a posting on website of Chromium Projects, suggested that UAs (user agents) step by step change their experiences and user interfaces so that by them non-secure origins would be displayed as positively not-secure.
Such a change would mean that we could see new indicators somewhere around address bar of various browsers. Just like the existing HTTPS signifier indicates some sort of a warning about website’s security, the warning for HTTP websites would effectively communicate different message, to be precise that the connection of a user to that certain website, any kind of software agent or mail service is not secure.
The Google Chrome Security wrote that they are aware of the fact that people usually do not really perceive the absence of such a warning sign. Still the only one situation in which browsers are not guaranteed to warn users is exactly when the security is not an option: when HTTP is used to transport the origin.
The author of TLS, Bulletproof SSL and SSL Labs, Ivan Ristic, noted that Google with this decision is actually taking the right steps in to the right direction.
Ristic said that currently, the default state for web sites is that they are not encrypted and opt-in to security of some sites is not secure at all and could never be. Security could be achieved only if 100 percent of the traffic would be encrypted. The reason for this is that there are simply too many traps when deploying encryption which is just partial, that it’s nearly impossible to do it correctly. On other hand, this long-term plan cannot be fulfilled quickly and straight off. Instead, we have to reach for this goal by taking small guaranteed steps, so we don’t and try to break the entire Internet at one time.
He also said that this change itself is not going to make us greatly more secure. While, according to Ristic, this step is quite important one in the big picture of a secure Internet, an addition to your security such as VPN will not become obsolete, at least not in the near future until new protocols providing complete security will be made. NordVPN advanced security features paired with OpenVPN connection that wraps all of your data and encrypts it, makes you virtually as safe as you can get, making that 100 percent encryption of the data easily achievable!
Rostic went on by saying that making this change happen could send an important signal to the ones that are making decisions of deployment and a pretty clear message saying that HTTP is not secure. Rostic added that he is pretty excited and happy about this.
According to Google, UA connections should be classified into three different states of TLS. Non-secure (either the ‘old’ HTTP or broken HTTPS); dubious (a valid HTTPS that has some minor TLS errors or a valid HTTPS with passive resources that are mixed); and secure (available valid HTTPS certificate).
Plans are set by Google to start notifying users about ‘HTTP’ connections providing no protections for data security.
Vendors are encouraged by Google to start taking a phased approach for these changes to be implemented.
The Chromium Security Team stated that we all need the communication of the data to be secure on the Internet (untampered in any way, authenticated and private). In order for users to be able to make informed decisions about how they should be interacting with an origin, the UA should explicitly display when there is no data security.