The company warned website owners they would start displaying the message for anyone not using the secure version, known as HTTPS, almost two years ago. “This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” Google said.
Google hopes the move will also pressure website owners to HTTPS.
Google has rolled out an update to its Chrome web browser that makes it clearer when a website is unencrypted.
The latest version, Chrome 68, shows a “not secure” sign alongside the web address bar for any websites that still use the HTTP standard.
A number of major websites including dailymail.co.uk, ladbible.com and cambridge.org have been highlighted among the list of insecure sites.
But does it mean you should stop visiting the websites altogether?
Why has Google started showing some websites as “not secure”?
— Chrome Developers (@ChromiumDev) July 24, 2018
Google has started to show websites which use the HTTP – HyperText Transfer Protocol – standard as “not secure” because it isn’t encrypted, meaning any data shared between you and a website isn’t scrambled.
What is the problem with HTTP?
HTTP isn’t encrypted, meaning anyone with access to the network could look at any of the information passing between you and the website. Google says anyone snooping could modify the contents of the site before it gets to you.
But this doesn’t mean a website using HTTP is an immediate danger.
“There has been many demonstrations of the vulnerabilities within HTTP and how it can be hacked over the years,” said Allen Scott of McAfee. “And whilst all sites under HTTP aren’t necessarily a target, Google’s move to drive this out is one the security industry has been calling out for.”
Kaspersky Lab UK’s principal security researcher David Emm said the change would help consumers avoid falling victim to cybercrime. “There has been many demonstrations of the vulnerabilities within HTTP and how it can be hacked over the years,” said Allen Scott of McAfee. “And whilst all sites under HTTP aren’t necessarily a target, Google’s move to drive this out is one the security industry has been calling out for.”
Kaspersky Lab UK’s principal security researcher David Emm said the change would help consumers avoid falling victim to cybercrime. “Without HTTPS, data is vulnerable to interception as it travels across the website – which of course presents a very good opportunity for cybercriminals to gather and manipulate it. “The fact that a web browser flags the fact that HTTPS is not implemented is a good thing for consumers. “It’s a signal that they should adopt an air of caution when using them – specifically, when required to enter confidential details.”
Happy Chrome 68 day! HTTP sites will now be marked as "not secure" in Chrome. We applaud the @googlechrome team as they make the Web more secure in a big way with this release.
— Let's Encrypt (@letsencrypt) July 24, 2018
Should I stop using websites that are flagged as “not secure”? No, there isn’t any immediate danger to beware of, although even security experts say it is a “tricky position” for internet users. “As security professionals, we get it – these are some of our favourite sites too,” Mr Scott said.
“For the time being, we advise all users to steer clear of making any transactional activities on the sites that have not updated to HTTPS, be it entering a password, sharing your email address or making payments – refrain from doing so. “As consumers, we can put a lot of pressure on these companies to update their websites and stop putting us at risk via HTTP, when their site traffic drops dramatically.”
— Google Europe (@googleeurope) July 25, 2018
Which websites are displaying as “not secure”?
Security researcher Troy Hunt has compiled a list of the UK’s busiest websites which still use HTTP. The top five are dailymail.co.uk, ladbible.com, cambridge.org, sportbible.com and skysports.com. You can view the full list on whynohttps.com.
What should I do to keep myself secure?
Experts say internet users should look out for websites that have misspellings or bad grammar in their addresses, as these could be copycats of legitimate websites. “Always use a safe search tool to steer clear of risky sites and make sure you have a strong and complex password in place, that is unique to every site, account or app you visit,” Mr Scott also warned.