Browsers historically have used certain visual indicators in the address bar to mark encrypted connections, such as the green padlock and the word “Secure.” However, as HTTPS is becoming the norm on the web, Google plans to phase out these indicators from Chrome.
Starting with Chrome 69, which is scheduled for release in September, the browser will no longer display the word “Secure” in front of HTTPS URLs in the address bar. The traditional padlock will be kept for a little longer, but it will be black instead of green and it too will be removed, sometime in the future.
These are not the only changes to the visual indicators planned for this year. Chrome 68, planned for July, will start marking all HTTP pages as “Not Secure.” Right now, the browser displays the “Not Secure” indicator only when users attempt to enter information into web forms over unencrypted connections.
Chrome 70, which is due in October, will take things even further and will show a warning triangle and the text “Not Secure” in red if the user attempts to enter data on a page loaded over HTTP, making the indicator much more prominent.
“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue,” said Emily Schechter, product manager for Chrome Security, in a blog post. “Since we’ll soon start marking all HTTP pages as ‘not secure,’ we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure.”
HTTPS adoption has seen a sharp rise over the past few years, especially since the launch of Let’s Encrypt, a certificate authority that provides certificates for free and offers automation tools that simplify certificate deployment and renewal.
Websites that want to benefit from the new HTTP/2 protocol, which brings significant performance benefits, have to implement HTTPS as well because browsers have tied HTTP/2 support to HTTPS on the client side. The new TLS 1.3 encryption protocol also gives HTTPS a major speed boost, so there are many reasons for switching on encryption for websites these days.
According to recent statistics, more than 68 percent of Chrome traffic on Android and Windows is to HTTPS websites, while on Chrome OS and Mac the ratio is even higher—more than 78 percent. Also, 81 of the world’s top 100 websites use HTTPS by default.
Tracking Firm Leaked Phone Location Data
A U.S.-based company called LocationSmart, which specializes in providing companies with real-time geolocation data for mobile phones from any U.S. carrier, had a vulnerability in its website that allowed virtually anyone to track other people’s devices.
The vulnerability, which was in a demo service run by LocationSmart on its website, was found by Robert Xiao, a security researcher at Carnegie Mellon University. The service allowed users to obtain location data for their own phones, but only after replying to a consent request via a phone call or text message.
Xiao found an issue in the service’s API that could be used to easily bypass the consent process and obtain location data for virtually any phone number. The company took down the trial service after being notified.
LocationSmart was recently in the news as the mobile tracking provider used by another company called Securus Technologies, which supplied phone location information to law enforcement agencies.