Google has taken its first step to flag ordinary sites like Wikipedia and CNN with a security warning because they are unencrypted, allowing all data transmissions to be viewed by the prying eyes of hackers or governments.
Google just gave Chrome something of an insecurity complex.
That’s because the company has enlisted Chrome — the No. 2 desktop browser worldwide — in its effort to make secure, encrypted connections on the Web the rule rather than the exception. Encryption scrambles data during transmission to protect users from identity thieves and prying governments. This week, Google built a feature into a test version of Chrome to explicitly warn people about Web pages that are delivered without encryption.
As the feature spreads to mainstream versions of Chrome, it could alarm people who thought Web pages were working fine and could impose new costs on Web site operators who don’t want their users fretting that something is wrong. But in Google’s view, the problem needs fixing.
“We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the Web,” Chris Palmer, a security programmer on Google’s Chrome team, said last month in a mailing list post explaining the plan.
Moving toward encryption by default is a profound, monumental change for the Web. With unencrypted pages, somebody like an Internet service provider, taxi or airport Wi-Fi operator, or malicious hacker offering a “free Wi-Fi” hot spot can read all the data sent to and from a computer. A hacker can also modify a Web page, and an ISP can insert its own advertising. To block against that kind of eavesdropping and tampering, Google encrypted its Gmail connections and search site in 2010, and Yahoo and Microsoft have followed suit.
But countless Web pages aren’t offered over a secure connection, including Wikipedia, Instagram, Craigslist, Imgur, China Daily, CNN and Amazon product pages. Indeed, 55 percent of the Web’s top million sites don’t offer encryption, according to 2014 analysis.
“In general the principle is sound,” said Robert Duncan, a manager at Internet services and research firm Netcraft. But actually turning the principle into practice will mean many difficulties. “For smaller Web sites, many webmasters won’t have any idea what security is and how to go about doing it, even if it’s free.”
Google has been pushing for an encrypted Web for years, but former National Security Agency contractor Edward Snowden’s revelations about NSA surveillance has lent new urgency to the cause. In 2013, Snowden showed the massive extent of government surveillance both through official channels like subpoenas and the interception of communications traffic.
The first step in bringing the encryption plan to fruition came this week with a small first step that will directly affect almost nobody. The bleeding-edge Canary version of Chrome — not stable or tested enough for ordinary users — now offers a manual setting that enables the warning about unencrypted pages. A person visiting an unencrypted page will see in Chrome’s address bar a padlock with a red X over it.
As the year progresses, expect the change to spread to mainstream Chrome. Google hasn’t declared a schedule for activating the feature, but suggested one option could be to add the warning once encrypted connections reach a certain threshold of commonness.
To enable the feature now, a person has to install Chrome Canary and activate the “mark non-secure origins as non-secure” option in Chrome’s chrome://flags interface.
Google suggests a phased transition to the warnings, but in the long run, the company expects a reversal in browser behavior. Today, green lock icons denote secure pages while unencrypted pages are plain. In the future, as encrypted pages become the norm, they could get the plain pages while unencrypted sites could sport a red warning sign.
Encrypted Web pages are sent using the HTTPS (Secure Hypertext Transfer Protocol) technology. HTTPS arrived not long after unencrypted HTTP helped begin the Web revolution 25 years ago; the main incentive for adding HTTPS was preventing password eavesdropping on login pages and keeping credit card numbers secret for e-commerce.
Google has worked to counter one perception standing in the way of HTTPS: that HTTPS requires more powerful and therefore expensive hardware for Web site operators. But SSL/TLS, the encryption standard underlying HTTPS, “is not computationally expensive any more,” Google security expert Adam Langley argued back in 2010. “Ten years ago it might have been true, but it’s just not the case any more. You too can afford to enable HTTPS for your users.”
Snowden’s revelations helped marshal more allies to Google’s cause.
For example, the Electronic Frontier Foundation (EFF), an advocate of personal freedoms on the Net and outspoken critic of government snooping, has advocated HTTPS for years. But it increased its efforts after Snowden’s leaks.
The EFF and partners including Firefox developer Mozilla, network equipment maker Cisco Systems, and content distributor Akamai Technologies launched a project late last year called Let’s Encrypt to make it easier for Web site operators to move to HTTPS. Specifically, Let’s Encrypt will offers free certificates, the electronic credentials required to encrypt a Web site connection.
Another ally for Google’s HTTPS plan is Mozilla.
“In general, this proposal seems like a good idea,” said Richard Barnes, the nonprofit organization’s cryptographic engineering manager. “Adding security to the Web is a core part of our mission…We strongly support the deployment of HTTPS as widely as possible.”
He specifically supports one facet of Google’s proposal: that warnings be shown starting when HTTPS-encrypted Web pages become more ordinary. Being more aggressive could cause confusion and other undesirable side effects.
“We wouldn’t want to turn on a warning light that’s on all the time — that just trains users to ignore it,” Barnes said. “An indicator of HTTP being insecure should be thought of as a way to move the state of HTTPS from ‘dominant’ to ‘universal,’ not from ‘bare majority’ to ‘universal.'”
Speed bumps and stop signs
Yandex, a Russian search rival to Google that now also offers a Web browser, sees user privacy and security benefits to Google’s plan, but it has its own ideas about warning users about unencrypted Web connections.
The Internet industry isn’t ready to deliver HTTPS connections at the scale they deliver HTTP connections today, said Anton Karpov, Yandex’s head of information security. Web site operators have to worry that HTTPS connections are sometimes blocked in areas like airports and that, contrary to Google’s position, HTTPS does require beefier hardware to handle the encryption calculations.
Another hitch is the content delivery network (CDN) business, in which companies armed with global network capacity and servers help Web site operators distribute their content the world over. CDNs can offer HTTPS connections — but they often charge a premium.
Outside the tech industry, there’s another kind of opposition. For example, in January, UK Prime Minister David Cameron pledged to ban encrypted communication software that’s unbreakable by the government in order to more effectively combat terrorism.
Web encryption could help thwart legislative ambitions to ban smartphone apps whose encryption comes with a government-accessible back door. For example, a person could point a browser at an encrypted online chat site in a different country.
Overall, the momentum toward encryption is powerful, as seen in Apple’s decision to encrypt data stored on iPhones and iPads and Google’s parallel move with its Android mobile operating system. New network technologies, including Google’s SPDY and its related standard HTTP/2, will in practicerequire encryption in some common instances.
Moving to an encrypted Web won’t happen quickly, but Google has momentum on its side.