Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2016
05:00 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Google Chrome To Flag Non-HTTPS Logins, Credit Card Info 'Not Secure'

The move is part of a larger Google push to lock down Web traffic using encryption between the browser and Web server.

Google's Chrome 56 browser as of January 2017 will flag as "not secure" any non-HTTPS sites that transmit password and credit-card information.

Hypertext Transport Protocol Secure (HTTPS) combines the Web's lingua franca hypertext transport protocol with encryption from Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to guarantee the authenticity of a website, protect communication between client and server, and obviate man-in-the-middle attacks.

Currently, Chrome delivers HTTP connections with its neutral indicator, which Google says doesn't reflect the real lack of security in HTTP environments. "When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you," Chrome Security Team member Emily Schechter wrote in a Sept. 8 blog post. HTTPS usage is on the upswing and that more than half of Chrome desktop page loads are now served over HTTPS, she wrote.

Google Chrome is the most widely used browser in the world, with approximately 54% of the combined desktop and mobile user segments as of August, according to Net Market Share.

Google is also a member of the Let's Encrypt consortium, a certificate authority that aims to lock down the Web via HTTPS. The certificates are available for free and are easily configured, according to the Internet Security Research Group, which provides the certificate service. 

Without giving any timeframes, the vendor says it will also label HTTP pages "not secure" in Incognito browsing mode, where users may believe they have greater privacy than they actually do.

"Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS," Google says.

It's unclear how much this flagging will affect user behavior or increase online security, since as Google itself acknowledges, users don't view the lack of a green-lock secure icon in their browser bar as a warning. Users also get saturated by frequent security warnings.

Generally, when the Chrome team makes a user-visible security and/or privacy change, they do their homework well in advance of shipping, according to Jeremiah Grossman, chief of security strategy for SentinelOne.

"Google likely has solid data that this change will have the necessarily motivational impact to get more website owners to switch to HTTPS," Grossman says. "No Website owner wants to have their visitors presented with some type of scary warning about using their website, so this encourages them to upgrade."

Where does that leave makers of other popular Web browsers? Mozilla says that its Firefox Developer Edition has had similar security warnings since January, "displaying a struck-through lock icon when there is a password field on a non-secure site," according to a Mozilla spokesperson. As a result, Mozilla reports a 20% reduction in presentation of password fields on non-secure pages since January, the spokesperson adds.

Apple did not respond to a request for more information about securing its Safari browser.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...