A year ago, Google proposed that web browsers should flag all plain HTTP web pages as unsecure and made the move to boost search engine rankings for sites using HTTPS URLS. Now, Google is getting ready to place a dreaded red “x” through websites that do not offer an encrypted connection. Google plans to mark non-secure pages, such as HTTP, with the same bad indicator as broken HTTPS. This simplifies the set of security indicators users receive on their browsers; however, there is debate as to whether this method is more accurate than just marking such pages as neutral.
This means that when a user visits an unsecure HTTP site, a red “x” warning will be displayed in the website address bar, unlike the blatant large warning displayed on a phishing site. As these security warnings become a common occurrence on the Internet, it is increasingly important that users do not get into the habit of ignoring them. While it remains unclear when Google Chrome will implement this change, Google has created a new tool, the Security Panel in DevTools, to help developers decipher the warning behind the red “x” and to further achieve their ultimate goal for HTTPS everywhere.
Online security begins in the origins of a website, and many times those origins are what can keep a site from earning the green padlock on its website address bar in Google Chrome. Google’s Security Panel was created to help unveil these connection errors by displaying connection information for every network request. The overview of any given page selected in the Security Panel displays information about the following:
- Certificate Verification: This indicates whether your site has proven its identity with a TLS certificate and if it is valid.
- TLS Connection: This indicates whether your site uses a modern, secure protocol and cipher suite.
- Sub-Resource Security: This specifies whether your site loads insecure HTTP sub-resources, otherwise known as mixed content. For example, an unsecure image on an otherwise secured page would currently trigger a grey padlock with a yellow triangle where there should otherwise be a red “x” to indicate an unsecure page.
Additionally, clicking on sub-resource websites within the panel provides developers with information about that site’s current security state, connection, and certificate details.
HTTP is not secure and does nothing to ensure user privacy while surfing the web. Google has taken the next step towards implementing HTTPS encryption everywhere by integrating the Security Panel in DevTools, which will help developers know how to obtain a green padlock and effectively make all web connections private and secure.