Friday, September 16, 2016

Chrome to Mark HTTP as Insecure

It's exciting to see that Google Chrome will start marking HTTP login pages as insecure in January 2017.

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

So I did a quick before & after to show you what it looks like. You can try this yourself by going to chrome://flags and changing "mark non-secure origins as non-secure" from Default to "mark non-secure origins as non-secure"

BEFORE you made that change an HTTP login page would look like this

AFTER you made that change an HTTP login page would look like this (notice the little red exclamation mark next to the url)

And if you were to click into the red exclamation marks to see the details it says

Why is this a good thing? Because HTTPS does multiple things for your that are critical on the internet. The obvious one is encryption, so your password are encrypted and not sent over the internet in plain text. But I've also blogged about how HTTPS gives you more than just encryption! 1.) Authenticity, Integrity, 3rd Party Vetting, Revocation and more. If you're surfing the internet over HTTP you can't trust it at all. Even if it's just a plain website. Why? There could be a man-in-the-middle monitoring your traffic, serving up and injecting code and malware, and you wouldn't even know it.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment