Today Chrome Marks HTTP As Not Secure
Written by Mike James   
Wednesday, 25 July 2018

A milestone ... but not the one you might think. Today someone took control of the web in a way that would have been unthinkable a few years ago.

Of course HTTPS is a good idea - no one can dispute that there are real use cases where anything else would be negligent at best. To keep communications that matter secure is a no-brainer, but not all communications matter quite that much.

For example, does a page from I Programmer need to be encrypted?

You can make up scenarios where things go wrong because a page of news or a technical article is sent in the clear - but they aren't particularly convincing.

Then there is the "man in the middle" scare. Encryption effectively means that no one can snoop on the packets in transit and so, as well as not being able to read them, it is very difficult to change them.

Does this really matter for an informational website? 

Again, you can devise a scenario where a user is duped into something or other because a website was intercepted and information changed. It would, or rather would have, made a good plot for a detective story. Something like changing the outcome of a race, or time-shifting events so that the user, poor sap, is conned into, or out of, something. Again, you can see that in most cases this is far-fetched and there are many websites supplying information that really isn't going to be valuable enough to warrant that amount of attention.

So, there are many web sites and many web pages that it makes little sense to encrypt and yet here we are with a large proportion of the web running as HTTPS only. Google estimates that more than 89% of the web is now using strict HTTPS. This is great, but what about all those mobile devices that are too old to use encryption? HTTPS-only sites effectively cut off access to a significant portion of the world.

encrypthttps

What is really amazing is that this growth in HTTPS has happened more or less because Google took the decision away from us.

OK, Google didn't compel anyone to do anything, but as of Chrome 68 you will see a notification saying that an HTTP site is unsecure.:

notsecure

What is wrong with this.?

The main wrong is who asked for this?

Why is it that Google, and Mozilla but without quite as much force, have the right to decide that the web should be uniformly HTTPS?

You can argue the rights and wrongs of HTTPS, but the key factor is that using it isn't a decision that Google or any other browser maker should be allowed to make for us. This is not to say that Google has any obvious benefit from pushing HTTPS - there seems to be no commercial interest - so you could see it, and many do, as Google doing good for a change.

You can also argue that Google isn't forcing anyone to do anything, but this would miss the amazing amount of power that Google as a search engine has over the structure of the web. It is not so much that Google is shaming sites that are not HTTPS, it is much more that it is promising to down-rank such sites. You might make a stand against being shamed, and many big news sites are, but you cannot reasonably ignore a threat to reduce search generated traffic.

If you feel comfortable with this because you approve of every site being coerced to implement HTTPS because you perceive it as being safer you need to ask yourself the question of how you would react if Google decided to do something that you didn't approve of. Suppose Google mandates that we all use AMP by penalizing any site that doesn't - oh wait Google already does this. What about something worse and more extreme but still in the same direction. Suppose Google decided to down-rank any site that didn't install DRM? ... Make up your own worst nightmare.

The point isn't what Google has done, it is the fact that it is able to wield its might in this way - for good or for bad. It is not so much Google's control of the most used browser that is the problem, but its control of the search engine traffic to the majority of web sites.

Neither Google nor Mozilla should be in charge of the web in this way.

This is the day that Google demonstrated that it controls the web.

 

sslicon 

More Information

A milestone for Chrome security: marking HTTP as “not secure”

Related Articles

I Programmer Moves On In Order To Stay Put

Intent To Deprecate HTTP

Choosing Tools for Efficient Deployment on AWS

Exploring Storage Options on AWS

Firefox, Chrome & Opera Block Access To Routers

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin.

 

Banner


PostgreSQL 11 RC Available
15/10/2018

PostgreSQL 11 is here - well, it will be within days, and the release candidate is available for download now.



Apache Kylin 2.5 Adds All-in-Spark Cubing Engine
02/10/2018

There's a new release of Apache Kylin with improvements including an all-in-Spark cubing engine, and support for using MySQL for the Kylin metastore.


More News

Python

 



 

Comments




or email your comment to: comments@i-programmer.info

 

 

 

Last Updated ( Wednesday, 25 July 2018 )