Skip to main content

Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015


Chrome Plans to Mark All 'HTTP' Traffic as Insecure


Google is ready to give New Year gift to the Internet users, who are concerned about their privacy and security. The Chromium Project's security team has marked all HTTP web pages as insecure and is planning to explicitly and actively inform users that HTTP connections provide no data security protections.
There are also projects like Let's Encrypt, launched by the non-profit foundation EFF (Electronic Frontier Foundation) in collaboration with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the Internet at the beginning of 2015.

This is not the first time when Google is taking initiative to encourage website owners to switch to HTTPS by default. Few months ago, the web Internet giant also made changes in its search engine algorithm in an effort to give a slight ranking boost to the websites that use encrypted HTTPS connections.
"We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure," the team writes in its blog post. The post continues, "the goal of this proposal is to more clearly display to users that HTTP provides no data security."
"We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin."
Users always compromise between their security and the flexibility/freedom while browsing the Internet. Now when I talk about Security, it means to reduce and lessen the online attack vectors, which generally minimizes our freedom to use some or more features.
The security team also remarks that HTTPS traffic usually produces a change to the user interface notification like new address bar indicators for the various browsers, yet insecure HTTP traffic does not. The security indicators and warnings are supposed to protect users from site-forgery attacks, such as man-in-the-middle attacks or 'phishing' sites.
"We know that people do not generally perceive the absence of a warning sign," the Google Chome Security Team wrote. "Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."
The researchers' team suggests that browsers instead define three basic sates of transport layer security:

Secure (valid HTTPS, other origins like (*, localhost, *))
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors)
Non-secure (broken HTTPS, HTTP)
More specifically, Google is encouraging user agent (UA) vendors to take a phased approach to implementing these changes given the needs of their users and their product design constraints.
"Generally, we suggest a phased approach to marking non-secure origins as non-secure," the team wrote. "For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins."
This latest move by the search engine giant could push more sites to HTTPS by default, because the more encrypted your website traffic is, the better it will be trusted by user and prioritize in the Google's search engine result. The post says that Google will "intend to devise and begin deploying a transition plan for Chrome in 2015."

Comments

Popular posts from this blog

Pebble - E-Paper Watch for iPhone and Android

CUSTOMIZE YOUR PERFECT WATCH. IT'S AS EASY AS DOWNLOADING AN APP. Pebble is the first watch built for the 21st century. It's infinitely customizable, with beautiful downloadable watchfaces and useful internet-connected apps. Pebble connects to iPhone and Android smartphones using Bluetooth, alerting you with a silent vibration to incoming calls, emails and messages. While designing Pebble, we strove to create a minimalist yet fashionable product that seamlessly blends into everyday life. WHAT Apps bring Pebble to life. We're building some amazing apps for Pebble. Cyclists can use Pebble as a bike computer, accessing the GPS on your smartphone to display speed, distance and pace data. Runners get a similar set of data displayed on their wrist. Use the music control app to play, pause or skip tracks on your phone with the touch of a button. If you're a golfer, feel free to bring Pebble onto the course. We're working with Freecaddie to create a great golf ...

Is Blockchain the new digital era ?

There is nothing more powerful than an idea, whose time has come. What is Blockchain ?  Blockchain is a set of growing records that are bound with one another using cryptographic algorithms. It allows records, called as blocks to be distributed among different system without being copied. Imagine that, you can see all the transactions that are being carried out in your bank. The main ledger, if is seen by thousands of people, would there be any malpractice anymore. The prime idea of blockchain was for Bitcoin, but now the tech community is now finding other potential uses for the technology. What is Bitcoin ? It is the first decentralized digital currency, as the system works without a central bank or single administrator. The system works as a peer-to-peer network, in which transactions take place between users directly, without an intermediary. These transactions are verified by blockchain. Bitcoin was invented by an unknown person or group of people us...

PENETRATION TESTING

What is Penetration Testing? It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. Purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to system. Once vulnerability is identified it is used to exploit system in order to gain access to sensitive information. Causes of vulnerabilities: - Design and development errors - Poor system configuration - Human errors Why Penetration testing? - Financial data must be secured while transferring between different systems - Many clients are asking for pen testing as part of the software release  cycle - To secure user data - To find security vulnerabilities in an application It’s very important for any organization to identify security issues present in internal network and computers. Using this information organization can plan defense against any hacking attempt. User privacy and ...