Marking HTTP As Non-Secure

[Raúl Martínez]

Hi,
Latest Forefox nightly build (44) marks HTTP as non secure if the page contains a password input.

Today I read again the proposal (https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure) and I realise that year 2015 is about to end and currently no browsers are even marking http as dubious.

What are the plans un Chrome and Firefox for this proposal? What is the planned roadmap?

Thanks

[Chris Palmer]

You can go to chrome://flags/ and turn on the "Mark non-secure origins as non-secure" experiment to see what the world will look like. (That's been in there for ~6 months now.)

We do still want to try to mark non-secure origins as such soon (early next year), but 1 thing we have found is that, although the big sites are HTTPS and people spend tons of time on them, there is a huge long tail of non-secure sites. Over the Summer and Autumn we measured HTTPS adoption, and it hasn't gone up much — so we've been spending effort trying to make it easier for site operators to migrate. Toward that end, my colleagues lgarron and estark developed the Security panel in Chrome Dev Tools (you can see it in Beta now), and we have simplified the Omnibox security indicators to try to smooth the path somewhat (and make the UX less complex): https://googleonlinesecurity.blogspot.com/2015/10/simplifying-page-security-icon-in-chrome.html.

We've also done a bit of consulting work with large site operators to find their pain points and help them with technical concerns. The mixed passive content warning was one (because it made HTTPS look worse than HTTP), and another is publishers relying on non-secure ads origins. Google is serving ads by HTTPS, and the industry is generally moving there (http://www.iab.com/news/lean/).

So, hopefully sooner rather than later, the pain points will diminish and more and more publishers will move to HTTPS. Happily, Wikipedia got there, for example. (Woo hoo!)

We are concerned that if people suddenly start seeing the Bad indicator for lots of the web/for lots of the time they spend on the web, they could get warning fatigue. Also, site operators could get upset.

But, we do intend to argue that Chrome should show non-secure origins as non-secure, regardless of HTTPS adoption. We are also redesigning our security iconography to make the Neutral state more honest about the reality.