Google Chrome is gradually changing the alert in the search bar regarding the security of its website connection. I had a negative reaction to the early announcement.
When I first heard about Google’s plans in February to deprecate the green padlock and secure alerts in the Chrome search bar and only warn if the site is not secure, I was initially skeptical. After all, the more active, secure state should be called out as a confidence builder. We are accustomed to that. It’s a good feeling.
For example, during business hours, we expect a store’s doors to be unlocked. No sign is necessary. In a special situation, if the business is closed for some reason, we’d see a big “Closed” sign. We’re given an alert the gives us a useful heads up. This is the elevated, more alert state.
Further Reflection on Google Chrome
Further reading and analysis has convinced me that Google has devised a good plan here. See: “Chrome’s HTTP warning seeks to cut web surveillance, tampering.” Google is using a phased approach that warms the Chrome user up to how the Web should operate. And it gives websites time to do the right thing or be shamed. Here’s the sequence, described by Google, as to the search/URL bar appearance. (Google 68 was rolled out on July 24.)
- Chrome 67: Secure: Padlock and green text. Insecure: (i) black URL ext.
- Chrome 68: Secure: Padlock and green text. Insecure: (i) “Not secure.” black URL text.
The next steps will be gradual. Chrome 69, in September, will show a less dramatic black padlock. The “Not secure” label will turn red.
But Why?
HTTP is a protocol with terrible security weaknesses. It’s high time it went away. By alerting users with gradually more dramatic warnings about its ill-advised use, Google is easing us into a more secure Web.
Chrome’s “not secure” warning helps you understand when the connection to the site you’re on isn’t secure and, at the same time, motivates the site’s owner to improve the security of their site. Since our announcement nearly two years ago, HTTPS usage has made incredible progress. We’ve found in our Transparency Report that:
- 76 percent of Chrome traffic on Android is now protected, up from 42 percent
- 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
- 83 of the top 100 sites on the web use HTTPS by default, up from 37
Not a Panacea
Moving over to HTTPS and leaving HTTP behind doesn’t solve all possible security issues. However, it’s a step in the right direction. We move forward technically by degrees. Sooner or later, there will be issues with HTTPS, and we’ll deal with those as they come up. In the meantime, progressively more visible alerts about insecure HTTP sites seems to me to be an agreeable way to make healthy, productive strides forward.
Now the ball is in Apple’s court. Apple always has good ideas about the human-machine interface. But these two companies are frenemies. Will Apple go along because it believes Google’s thinking is well thought out? Or will Apple try to go its own way? With potential confusion. We’ll all be watching Apple now.
Google’s warning does nothing if oil doesn’t allow the user to intervene in a meaningful way