Google Chrome Is Ramping Up Warnings When You Visit Insecure Websites

Image: Supplied

Google's Chrome web browser is stepping up alerts when you use sites missing that all-important HTTPS security padlock designed to stop online eavesdropping.

Of all the security and privacy precautions you should take to stay safe online, one of the easiest is to always check that a website uses HTTPS encryption before you enter sensitive information such as payment details. Unfortunately it's easy to forget about this when you reach an online checkout and finally seal the deal on that new thingamabob you've been waiting to buy.

HTTPS isn't just for online shopping, it's important to check the security status of any website which asks you to enter sensitive information, such as online banking, webmail, cloud storage/services, social media, online forums and content management systems. Google also uses it to safeguard your online searches.

Think of HTTPS a bit like a mini-VPN just for that individual browser tab. It doesn't stop people seeing which page you're visiting, but it creates an encrypted tunnel from your browser all the way to the webpage server to stop anyone in between snooping on your activities. HTTPS is still important even if you're using a VPN, as the VPN only protects your data as far as the VPN server.

Perhaps more importantly, HTTPS also relies on signed security certificates to ensure that you haven't accidentally visited a spoof website masquerading as your bank or a legit online retailer.

Google's Chrome web browser is already one of the best at drawing your attention to HTTPS. It displays a green padlock with the word "Secure" alongside the website address, plus it often displays the name of the company to which the security certificate was issued – something you probably see when you use online banking.

There's a push to use HTTPS across the web, with Electronic Frontiers Foundation even offering the HTTPS Everywhere browser plugin to force sites to use HTTPS if the website developer has enabled it.

At the moment the Chrome browser draws attention to any website which doesn't use HTTPS, although it only displays a subtle "i" symbol where the padlock should be. Click here for more information and you're told; "You should not enter any sensitive information on this site (for example, passwords or credit cards), because it could be stolen by attackers."

Google is about to ramp up these warnings in an effort to force websites to lift their security game.

Chrome already marks websites not using HTTPS as "Not secure" if they ask for credit card or password details. As of October, Chrome will mark non-HTTPS websites as "Not secure" as soon as you start to type anything into the page.

Chrome will also ramp up HTTPS warnings when you're using Incognito mode, on the assumption that you're looking for a little extra privacy. Keep in mind that Incognito mode doesn't hide your destination from your ISP, it simply ensures that it doesn't show up in your browser history (and URL autocomplete) if someone else is looking through your computer.

Eventually Google plans to mark all standard HTTP pages as "Not secure" in red, as it does today for HTTPS sites which fail the security check. So anyone who runs a website needs to start thinking about upgrading to HTTPS.

Do you check for the HTTPS security padlock when entering data into webpages? What other tricks do you use to guard your security and privacy online?

This article originally appeared in Digital Life, The Sydney Morning Herald's home for everything technology. Follow Digital Life on Facebook and Twitter.



    Why aren't HTTPS certs free?

      Certificate authorities have infrastructure and audit costs. You're also paying to some degree for the CA's reputation - there's nothing stopping you from running your own CA and providing certificates for free, but odds are people will trust "Pformagg" a lot less than "Verisign" as the signing authority.

      WHM can now generate them for free.

        If you're referring to self-signed certificates, I thought that had been available in WHM for a while. The problem is they're not certified by a trusted CA so browsers tend to give users very visible warnings, which you don't want for any kind of professional website.

          Not self-signed, it's a feature that came in last year:

            Interesting. Their 'cpanel'-issued certificates are from Comodo, I wonder how they pulled that off since Comodo charges around $60/year for a DV certificate normally. I see it doesn't support wildcard domains though so that's still an unfortunate limitation.

            Thanks for the info.

              The hosting guys I'm with 'Panthur' also does this. Any site your host with them (give then the domain is also registered with them) comes with a free SSL and it's from Comodo.

      For basic certificates, they can be -

      If you need things like EV for online shopping/banking, you still need to pay for those, but as you're now making money off your website, not just using it as a way to display information, that's more a cost of running that webstore.

        Fair enough, I forgot about them. They don't support wildcard certificates so I mentally wrote them off a while ago.

    I found it very amusing that the original site this appears on (SMH/The Age), doesn't actually support SSL properly as well. Their comment forms are submitted over plain HTTP, which will trigger these warnings in Chrome soon (and rightly so). Also, if you try to access the site through HTTPS it doesn't work as the certificates have not been correctly issued for their CDN.

    Perhaps they should get their own house in order before writing articles like this?

    Apparently, not all certificates are created equal. When I go to some sites and hover the mouse over the little 'i' symbol in the address bar, it says 'This website only has domain validation issued by Comodo RSA Domain Validation Secure Server CA'. It is https but without the padlock. Beats me.

      Could be that the site is hosting non-SSL content.

      My webmail does that; plain text emails and HTML ones that source their content from HTTPS sites are fine.

Join the discussion!

Trending Stories Right Now