According to a post on the Google Online Security Blog, beginning in January 2017 Google Chrome will begin flagging all sites that use traditional HTTP rather than HTTPS for passwords or other sensitive information as "insecure". It also indicates that Google plans to eventually start flagging ALL traditional HTTP-only sites as "insecure". While HTTPS has always made sense for truly sensitive information, a pure HTTPS web does have implications for legacy tools - essentially if anyone is not using the absolute latest of one of the "big three" web browsers, they will always potentially be just one security update away from being locked out of the web.
(Score: 2) by theluggage on Monday September 12 2016, @12:11PM
This is addressed in TFA, it sounds like they're aware of that effect and they're trying to take it into consideration:
Does that mean they're actually going to take it into consideration (which would involve considering the possibility that flagging all HTTP pages would be a step to far), or is it the usual "taking into consideration" (we'll discuss it a bit in committee and then go ahead and do what we've already decided to do)?
Passwords and credit cards? Fine - frankly I'd rather not put credit card info into a site that doesn't have extended verification, let alone a HTTP one. However - how reliably can you detect this if the page is using AJAX or Javascript? False security is worse than no security.
Incognito mode? Fine: you've specifically asked the browser to get paranoid.
Any old HTTP page? Sorry, no, that's just crying wolf - if you're that concerned about being monitored or spoofed, turn on Incognito mode.
"Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently"
Really? Quick, call the Journal of Urso-Sylvanian Scatology (incorporating Pontifical Denomination Studies)!
(Score: 2) by JNCF on Monday September 12 2016, @08:56PM
Flagging all HTTP sites seems like a step too far right now. I don't think they've committed to a firm timetable. If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
(Score: 2) by theluggage on Tuesday September 13 2016, @04:13PM
If rolled out after the vast majority of sites are already HTTPS, I could see it not contributing to the effect you're worried about.
That last 20% of http sites is gonna take a long time to shift. - run by people in their copious free time, on zero budget, with hosting companies that aren't falling over themselves to add Lets Encrypt support to make it click & drool (no, that's not always essential, but it makes it much easier, especially with Let's Encrypt's short-lived certs).