According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.
(Score: 2) by JNCF on Monday September 12 2016, @03:58AM
it seems like a way to train people to ignore red triangles.
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.
(Score: 2) by theluggage on Monday September 12 2016, @12:11PM
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Does that mean they're actually going to take it into consideration (which would involve considering the possibility that flagging all HTTP pages would be a step to far), or is it the usual "taking into consideration" (we'll discuss it a bit in committee and then go ahead and do what we've already decided to do)?
Passwords and credit cards? Fine - frankly I'd rather not put credit card info into a site that doesn't have extended verification, let alone a HTTP one. However - how reliably can you detect this if the page is using AJAX or Javascript? False security is worse than no security.
Incognito mode? Fine: you've specifically asked the browser to get paranoid.
Any old HTTP page? Sorry, no, that's just crying wolf - if you're that concerned about being monitored or spoofed, turn on Incognito mode.
"Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently"
Really? Quick, call the Journal of Urso-Sylvanian Scatology (incorporating Pontifical Denomination Studies)!
(Score: 2) by JNCF on Monday September 12 2016, @08:56PM
Flagging all HTTP sites seems like a step too far right now. I don't think they've committed to a firm timetable. If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
(Score: 2) by theluggage on Tuesday September 13 2016, @04:13PM
If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
That last 20% of http sites is gonna take a long time to shift. - run by people in their copious free time, on zero budget, with hosting companies that aren't falling over themselves to add Lets Encrypt support to make it click & drool (no, that's not always essential, but it makes it much easier, especially with Let's Encrypt's short-lived certs).