Your browser is about to become a lot more paranoid. You might not notice. But if you do, don’t freak out. At least not yet.
You may have noticed that when you visit certain sites, such as Wired.com, browsers like Google Chrome display a little green padlock and the words “Secure” next to the address. That icon means that the site uses the encrypted web protocol HTTPS instead of plain old unencrypted HTTP.
You might also occasionally notice the words “Not Secure” next to an address in Chrome–typically when you’re asked to enter a password or credit-card number on a site that doesn’t use HTTPS to protect your information. Starting in October, Google will display the “Not Secure” warning more often.
Most of the time, when you visit a site that uses plain HTTP, Chrome displays an icon of the letter “i” in a circle. (Clicking on the “i” reveals a warning, “Your connection to this site is not secure.”) On Thursday, Google warned users of its Search Console tool that a forthcoming version of Chrome will display warnings when users are asked to submit any information over an unencrypted HTTP connection–not just passwords and credit cards. That means if you enter search terms on a site that doesn’t use HTTPS, or type your email into a newsletter subscription form that isn’t encrypted, you’ll see a “Not Secure” notice. Users of Chrome’s Incognito mode will see the warning when visiting any website that doesn’t use HTTPS, even if it doesn’t doesn’t have any forms or fields. And that’s just the beginning.
“Eventually, we plan to show the ‘Not secure’ warning for all HTTP pages, even outside Incognito mode,” Emily Schechter, a member of the Chrome security team, wrote in a blog post.
For the most part, this is a good thing, because it will push more websites to adopt HTTPS. That protocol isn’t perfect, but does help protect your privacy and helps ensure that you’re viewing the page you intend, and not a ringer meant to trick you into downloading malware. Google’s move will resonate because Chrome is the most popular browser.
But Brian Klais, the CEO of mobile-technology consulting firm Pure Oxygen Labs, worries that the new warnings will arrive just before the holiday shopping season and could scare users away from legitimate e-commerce sites that encrypt passwords and credit cards, but haven’t yet implemented HTTPS across their entire websites.
That could include the websites of big-name retailers like Home Depot, Nordstrom, Sears, and the Gap, none of which use HTTPS to secure product-search forms today. “We’re prepared to let customers know their payment and login information is protected,” a Home Depot spokesperson says. The other retailers did not respond to requests for comment. A Google spokesperson declined to comment as well, pointing to the company’s earlier blog post.
Protecting credit cards and passwords has long been common practice online. More recently, there’s been a push to encrypt all web traffic. Google search, Facebook, and Wikipedia all use HTTPS by default now. But as WIRED has documented, switching from HTTP to HTTPS can be a daunting technical challenge.
According to Pure Oxygen Labs’ research, about 40 percent of the 100 largest online retailers don’t yet use HTTPS. That’s in line with estimates by Mozilla, the makers of the Firefox web browser, that about 40 percent of the web’s traffic is unencrypted.
When Firefox users visit a site that asks for a password or credit card but isn’t protected by HTTPS, the browser displays an icon with a lock and a red line through it, but doesn’t display the words “Not Secure.” Apple’s Safari and Microsoft’s Edge don’t warn users about HTTP sites, specifically, but don’t display the green lock icon.
One big question is how many users will actually notice the change in Chrome, which is subtle. “It’s really hard to measure what impact this will have, but it only takes one person to use this as leverage to hold a site more accountable for securing their content,” says security researcher Troy Hunt. Hunt says the Australian airline Qantas Airways expanded its use of HTTPS on its site earlier this year after he pointed out on Twitter that the site displayed an error when users attempted to log into their frequent-flier accounts.
So keep an eye out for those security warnings in the coming months, but remember that they don’t necessarily mean your password or credit-card information is being passed along insecurely.