Chrome devs hatch plan to mark all HTTP traffic insecure

The Chromium Project's security team has kicked off a debate on whether browser will mark all HTTP pages as insecure.

“We … propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” the team writes in this post.

The post says the team's goal “... is to more clearly display to users that HTTP provides no data security” because ““We all need data communication on the web to be secure (private, authenticated, untampered).”

If users aren't enjoying good security, the team suggests, browsers “... should explicitly display that, so users can make informed decisions about how to interact with an origin.”

The team also point out that HTTPS traffic usually produces a change to the user interfa,ce notification, yet insecure HTTP traffic does not.

The post proposes that browsers instead define, and inform users of, three security levels:

  • Secure (valid HTTPS, other origins like (*, localhost, *));
  • Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
  • Non-secure (broken HTTPS, HTTP).

The post's authors have thrown the topic open to debate, posting to several influential mailing lists to gather feedback. But they seem intent on the change: the post says “We intend to devise and begin deploying a transition plan for Chrome in 2015.” ®

Simon Sharwood