Euro Security Watch with Mathew J. Schwartz

Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development

Google Set to Name and Shame Sites Lacking HTTPS

Chrome Browser Will Flag Sites Lacking Security Communication Protocol
Google Set to Name and Shame Sites Lacking HTTPS
Google to websites: Thou shalt use HTTPS. (Source: Wikimedia Commons)

Heads up, internet land: Come July, Google Chrome will mark every site that does not use HTTPS encryption as "not secure."

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

Hyper Text Transfer Protocol Secure - HTTPS - better secures client/server communications by making SSL/TLS encryption the default protocol for accessing all pages on a site.

"Security needs to be a default in the cloud." 

Using HTTPS - especially with TLS - helps prevent outsiders from eavesdropping on communications or launching man-in-the-middle attacks.

Google says it's been applying pressure to get more sites to begin using HTTPS.

"For the past several years, we've moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption," Emily Schechter, Google's Chrome security product manager, says in a Thursday blog post. "And within the last year, we've also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as 'not secure. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as 'not secure.'"

Google Chrome's take on sites only reachable via HTTP, come July.

Many information security experts, including security and privacy consultant Jessy Irwin, have applauded Google's move.

Plug-ins are already available for many browsers, including Mozilla Firefox, that are designed to alert users when they're visiting a site via just HTTP. But it's not clear how quickly browsers beyond Chrome might also do this by default.

Life Since 2010

The shift to HTTPS is well underway.

Percent of page loads over HTTPS in Chrome by platform. (Source: Google)

At first, however, many worried that the extra processing power required to drive encryption might "slow down connections only slightly," as Facebook warned in 2012 when it finally adopted HTTPS by default, having already used it to secure pages that required a username or password. Although as security expert Ivan Ristic noted at the time, Facebook continued to offer "an opt-out for the crazies."

Flashback: Facebook offered HTTPS as an opt-in setting for some users beginning in 2011.

Facebook was following in the footsteps of Google, which in January 2010 made HTTPS the default for all access to Gmail.

Two months later, Pamela Jones Harbour, the outgoing commissioner of the U.S. Federal Trade Commission, called on large internet services, such as Microsoft's Hotmail, Facebook and Yahoo, to also begin using HTTPS. "Security needs to be a default in the cloud," she said.

And by July 2012, Google was reporting that it had seen almost no performance hit due to enabling HTTPS. Shortly thereafter, Twitter and Hotmail also began using HTTPS by default.

Current HTTPS Adoption

Since then, the move to HTTPS appears to be progressing well. Google says users of its Chrome browser are finding HTTPS:

  • 68 percent of the time when using Android and Windows.
  • 78 percent of of the time when using Mac OS X, iOS and Chrome OS.

Google says 81 of the top 100 websites - based on traffic volumes - use HTTPS by default.

The number of domains of the top 1 million that use HTTPS protocol by default (Source:

Google Offers Open Source Lighthouse

Many websites, however, have been kludged together over the years, which can make it difficult to trace when resources are being loaded using HTTP instead of HTTPS.

To help, Google's Schechter recommends the latest Node CLI version of the automated improvement tool for developers called Lighthouse. The open source tool is designed to help developers improve and maintain the quality of a web app.

"The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version," Schechter says.

Overview of Lighthouse from the May 2017 Google I/O conference

Regardless of the tools developers use to help them build more secure sites, the writing is clearly on the wall: The future is HTTPS.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.