Google wants to turn browser signals of Web encryption upside down

Chrome security engineers have proposed that all websites that don’t encrypt traffic be marked as insecure by browsers.

The proposal, which was floated earlier this month, would dramatically change the visual signals in a browser’s address bar, which now shows an indicator — a “lock” icon in some cases — when a website is encrypted with SSL (Secure Socket Layer) or TLS (Transport Security Layer), SSL’s replacement. Those sites’ domains are prefaced by https rather than the more common http.

Unencrypted sites do not display any special visual sign.

“We, the Chrome security team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” the engineers said in messages spread across several discussion forums, including Google’s own Chromimum project. “The goal of this proposal is to more clearly display to users that HTTP provides no data security.”

To read this article in full or to leave a comment, please click here