Google’s Chrome web browser is stepping up alerts when you use sites missing that all-important HTTPS security padlock designed to stop online eavesdropping.
Of all the security and privacy precautions you should take to stay safe online, one of the easiest is to always check that a website uses HTTPS encryption before you enter sensitive information such as payment details. Unfortunately it’s easy to forget about this when you reach an online checkout and finally seal the deal on that new thingamabob you’ve been waiting to buy.
HTTPS isn’t just for online shopping, it’s important to check the security status of any website which asks you to enter sensitive information, such as online banking, webmail, cloud storage/services, social media, online forums and content management systems. Google also uses it to safeguard your online searches.
Think of HTTPS a bit like a mini-VPN just for that individual browser tab. It doesn’t stop people seeing which page you’re visiting, but it creates an encrypted tunnel from your browser all the way to the webpage server to stop anyone in between snooping on your activities. HTTPS is still important even if you’re using a VPN, as the VPN only protects your data as far as the VPN server.
Perhaps more importantly, HTTPS also relies on signed security certificates to ensure that you haven’t accidentally visited a spoof website masquerading as your bank or a legit online retailer.
Google’s Chrome web browser is already one of the best at drawing your attention to HTTPS. It displays a green padlock with the word “Secure” alongside the website address, plus it often displays the name of the company to which the security certificate was issued – something you probably see when you use online banking.
There’s a push to use HTTPS across the web, with Electronic Frontiers Foundation even offering the HTTPS Everywhere browser plugin to force sites to use HTTPS if the website developer has enabled it.
At the moment the Chrome browser draws attention to any website which doesn’t use HTTPS, although it only displays a subtle “i” symbol where the padlock should be. Click here for more information and you’re told; “You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers.”
Google is about to ramp up these warnings in an effort to force websites to lift their security game.
Chrome already marks websites not using HTTPS as “Not secure” if they ask for credit card or password details. As of October, Chrome will mark non-HTTPS websites as “Not secure” as soon as you start to type anything into the page.
Chrome will also ramp up HTTPS warnings when you’re using Incognito mode, on the assumption that you’re looking for a little extra privacy. Keep in mind that Incognito mode doesn’t hide your destination from your ISP, it simply ensures that it doesn’t show up in your browser history (and URL autocomplete) if someone else is looking through your computer.
Eventually Google plans to mark all standard HTTP pages as “Not secure” in red, as it does today for HTTPS sites which fail the security check. So anyone who runs a website needs to start thinking about upgrading to HTTPS.
Do you check for the HTTPS security padlock when entering data into webpages? What other tricks do you use to guard your security and privacy online?