Google has announced that from January 2017 it is to actively warn users of its Chrome browser when they're submitting personal information via an unencrypted connection.
Current editions of Google's Chrome browser, which is built on top of the open-source Chromium project, show notifications prefixed to the address bar to advise whether a connection is secured or has an error such as a bad certificate. Sites that do not attempt to create an encrypted connection at all get a neutral prefix, but from January 2017 this is to change: any site which hosts password or credit card forms will receive an active 'Not secure
' prefix on users' address bars to warn that data will be unprotected in transit.
The change is due to arrive in Chrome 56, which will launch in January 2016, and is part of a progression towards warn-by-default behaviour. In following releases all HTTP pages will be marked as 'Not secure
' in privacy-boosting Incognito Mode, then the warning will be rolled out to all HTTP pages in any mode. At that time, it will also be made more visible: the initial grey advisory message will transition to a red warning message, complete with an exclamation mark inside a triangle.
'Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria,
' explained Google's Emily Schechter in a blog post
on the changes, describing the shift as 'part of a long-term plan to mark all HTTP sites as non-secure.
The changes to Chrome come after Google modified its internal PageRank search algorithm to boost pages which offered TLS-protected HTTPS connectivity over HTTP-exclusive versions. The company had originally announced its intentions to warn about HTTP connectivity back in January
, but has only now committed to a go-live date.