In some cases, online security is a balance between users making good choices and systems providing the required information. Phishing attempts, for example, where fake sites grab private information by masquerading as official sites, only succeed because users are fooled into thinking they’re on legitimate pages.
One way to combat phishing is to use encryption, which verifies that a site is actually what it claims to be. One way to avoid becoming a victim of phishing, therefore, is to only enter private and sensitive information, like credit card and social security numbers, on encrypted sites. Google has been slowly implementing features in Chrome to make it clear when users aren’t on encrypted pages, and it’s getting even more aggressive in its efforts to help users stay safe.
While anyone can tell if a page is secured just by looking for the “https” header in the address bar, Chrome recently started explicitly marking HTTP pages as “Not secure” whenever they include password or credit card fields. Starting in October 2017, Google will cause Chrome to show “Not secure” in more situations, specifically when users enter any data on an HTTP page and when visiting any HTTP page in Incognito mode.
As the company puts it, “Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the ‘Not secure’ warning when users type data into HTTP sites.” Chrome 62 is due in October 2017, hence the timeline for implementing the more aggressive policies.
In addition, Chrome’s Incognito mode represents a particularly troublesome situation because it can cause people to confuse local privacy with data that’s entered on pages and submitted to sites. Incognito mode makes it harder to get on a user’s local machine and grab their data after a browsing session, but it does nothing to protect data once it’s sent from the browser to the internet. Therefore, Chrome will mark all HTTP pages as “Not secure” to ensure that users are reminded of those facts.
Google’s end game is to mark all HTTP pages in all browsing modes as “Not secure.” As the company points out, HTTPS is less expensive and less of a hassle to implement than ever before, and the sooner all sites switch over to HTTPS, the better for everyone. Perhaps by pointing out more sites as insecure, Google can essentially shame a few more sites into making the transition — along with providing the information users need to take their own steps in becoming more secure in their browsing practices.