U.S. Markets open in 3 hrs 26 mins

Google Chrome is about to warn you even more about insecure sites

Rob Pegoraro
Contributing Editor
Google Chrome is about to start warning you more often if the site you’re visiting is insecure. Photo: Getty Images

Later this month, your Chrome browser may make you more nervous online. But you should consider that a feature, not a bug.

Unfortunately, other browsers aren’t as proactive about the security of the link between your screen and a site, even if they do better at protecting other aspects of your privacy.

Snooping alert

The next release of Google’s (GOOG, GOOGL) browser ships on Oct. 17 for Mac/Windows/Linux, and the update for Chrome OS comes a week later. When that happens, you’ll see a “Not secure” warning in the browser’s address bar in two common scenarios.

The first will occur when you start to enter any data on a site that doesn’t encrypt your connection — meaning that it doesn’t scramble the data flowing between it and a browser, leaving outsiders free to see everything you do.

This extends a protection Google added in January, which threw the “Not secure” flag on pages that accepted passwords or credit-card data without encryption. Now typing anything at all will raise Chrome’s hackles.

Chrome, which held a 54.89% share of the worldwide browser market in August, according to StatCounter, will also alert you if you activate Incognito mode and visit an unencrypted site.

Future versions will get even more stringent and show the same warning for any site lacking encryption — but in an attention-getting shade of red.

These are how Chrome’s warnings will look versus how they used to look.

Abbreviated awareness

Techies have been able to tell a site encrypts a connection by looking for a lock icon in the browser’s address bar, along with an “https” prefix to a site’s address instead of the usual “http.”

Non-techies, however, have struggled with the concept. A survey released in March by the Pew Research Center found that only 33% of Americans knew what “https” in a site address meant.

By calling out the consequence of the lack of encryption instead of asking users to know “crypto” jargon, Google’s should help improve people’s understanding of the concept.

Here’s how Google’s Chrome will display security notifications.

Chrome’s competitors, meanwhile, remain much less militant about flagging unencrypted connections.

Apple’s (AAPL) Safari, the second-most popular browser, doesn’t offer alerts about unencrypted connections and has been more tolerant of older methods of encryption. In particular, that browser only stopped supporting an obsolete form of site encryption called “SHA-1” earlier this year — some two years after Google began warning users about it.

You can’t say Apple doesn’t worry about privacy, though. Safari 11, part of the new macOS High Sierra release and available as a separate download for some older versions, incorporates an “Intelligent Tracking Protection” feature that stops many advertisers from tracking your activity across different sites.

(Online advertisers are predictably unamused.)

Microsoft’s (MSFT) Edge also trails Chrome in this aspect and didn’t yank SHA-1 support until this spring.

An increasingly common defense

Fortunately, Google’s warnings are also becoming less necessary as more sites adopt encryption. What was once a scarce form of security has become a mainstream ingredient.

Google’s stats show that as of Sept. 23, 63% of pages loaded in Chrome’s Windows version came encrypted, while 74% of pages loaded in Chrome for Mac arrived encrypted. About two and a half years ago, those shares were at 39% and 43%.

Data collected by the Mozilla Firefox browser show encryption rising from 38% of pages in October 2015 to 61% as of Sept. 27. You can credit both pressure from security experts and efforts to make encryption easier and free. One initiative alone, Let’s Encrypt, issued its 100 millionth encryption certificate in June.

This means a lot, especially since the Republican majority in Congress has shown that it doesn’t want to stop internet providers from tracking their customers’ browsing habits.

The same people who know that “https” stands for “hypertext transfer protocol secure” know that they can defeat that kind of scrutiny by using “virtual private networking” apps, but site encryption is security for everyone.

It doesn’t offer protection as complete as VPNs do — your internet provider and other people on the same network can still see the domain names you visit — but the resulting data is less useful to an attacker or an advertiser than what they could get by snooping on an unprotected connection. But you don’t need to install a new app, change any settings or pay a fee to benefit from it. It’s just there, and it’s so easy to overlook that your first hint that this page is encrypted may be reading this sentence.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.