Google’s Chrome 56 launch this week ushers in its plan to begin warning users that all HTTP pages are not secure, starting with the pages that collect login details or credit-card numbers.
Given Chrome has more than one billion users, this change to Chrome is likely to pressure website operators to at least consider enabling site-wide HTTPS.
Chrome will also call out companies that aren’t doing the basics of protecting sensitive user information by collecting information on an unencrypted connection.
This move shouldn’t come as a surprise to website owners. Google first flagged up this change to Chrome’s HTTPS warnings in September and issued an alert to site operators in December.
Until now, Chrome only showed a neutral grey indicator on an HTTP page, which Google’s Chrome security team thinks doesn’t accurately represent the total lack of security HTTP offers.
For example, if you’re on a Wi-Fi hotspot, a third-party on that network can tamper with the contents of an HTTP page. HTTPS on the other hand can mitigate the threat of man-in-the-middle attacks, or surveillance techniques.
The new indicator in Chrome 56 and onwards states ‘Not secure’ for HTTP login or payment pages and will eventually apply the same warnings for other HTTP pages. Google is also pushing developers to move to HTTPS to enable apps with access to more powerful hardware features, such as the camera and mic, which can capture sensitive information.
With this update, Google also paid out $53,837 to security researchers in its bug bounty program for Chrome. Google fixed a total of 51 security bugs in earlier versions of Chrome.
In a bid accelerate its own adoption of HTTPS, Google has also gained greater control over the digital SSL/TLS certificates used to validate and encrypt HTTPS sites. The company announced on Thursday that it had become its own root certificate authority, or CA, which can issue and revoke certificates.
It’s actually been operating a subordinate CA for several months to support its own certificate needs for Google products. However, in December it began operating its own root certificate authority. It’s established a new company, called Google Trust Services, which will operate the CAs.
If you visit Google or any of its other pages and click the padlock icon to reveal and view the certificate, it will state the certificate was issued by Google Internet Authority G2 or GIAG2, rather than, say, another large CA, such as Symantec or GoDaddy. It’s not clear whether Google will provide CA services to third-party sites.
“We have been operating our own subordinate Certificate Authority (GIAG2), issued by a third party. This has been a key element enabling us to more rapidly handle the SSL/TLS certificate needs of Google products,” said Ryan Hurst, from Google’s security and privacy engineering team.
“The process of embedding Root Certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later,” he added.
Google will continue to operate its existing GIAG2 subordinate Certificate Authority and has outlined two root certificates that developers must use if they intend to connect to Google’s services.
As one commenter on Hacker News pointed out, this move gives Google one more key piece of the internet’s infrastructure: “You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the internet.”