Mastodon

Here's how broken today's web will feel in Chrome's secure-by-default future

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings:

That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right.

But here's the really interesting bit - that's just the beginning because Google has a plan:

a long-term plan to mark all HTTP sites as non-secure

I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to "Mark non-secure origins as non-secure":

Mark non-secure origins as non-secure

And then we'll do just that - flag them as non-secure. Now let's go browsing!

It's first thing in the morning, so we'll kick off with a bit of international news:

CNN

Ok, browser warning there so not that trustworthy. Tell you what - Jony Ive put me in an Apple trance during the keynote last week so let's go and check out the new shiny there:

Apple

Huh, warning there too, it could even be a fake Tim Cook since it's loaded over HTTP so better move on. I get accused of being a Microsoft apologist sometimes so we'll try them next:

Microsoft

Shit. Now I honestly expected them to load over HTTP and show a warning but since they redirect to HTTPS by default everything looks cool. This makes a different point though - this is what the new normal will be when the non-secure exodus kicks in. But you already know what a site loaded over HTTPS looks like anyway, let's go for a fly instead:

Qantas

Dammit! Ok, big warning symbol there so that's no good. I'm sick of flying anyway, let's find a nice car:

Ferrari

Alright, that's it, definitely not buying a Ferrari via the browser now! But at least the warning symbol is red...

Maybe we'll set our sights a little lower and do some eBay shopping:

eBay

Right, not so good. At least our banks will be good, right? I mean they're the ones with the bank grade security:

NAB

It's one of the biggest banks in the country! Let's go bigger - let's grab one of the biggest in the world:

HSBC

This is really disheartening, I'm gonna go straight to the Prime Minister and make my feelings known:

Australian Government

Well that's surprising, our government seemed to be so good at getting tech right too...

Not to worry, I reckon we can go even higher still, let's hit up the UN:

Huh. Is it possibly just that these sites don't know how to implement HTTPS? Let's go see if we can find some good guidance on that:

Stack Overflow

Alrighty then. Tell you what - let's go back to the site where I first read about Chrome's upcoming change last week:

The Verge

This is obviously intended to be a bit tongue in cheek but here's the point: we are a very, very long way away from a "secure by default" web. Going HTTPS can be easy but it can also be a non-trivial exercise for the likes of Stack Overflow. We should all be going HTTPS only at the earliest opportunity, but the chances of seeing browsers do what they're doing in the screens above in 2017 is near zero and frankly, at this rate even 2018 is hard to see happening. What the January change does is moves the needle just that little bit further around so that more sites use more SSL and better prepare the web for the inevitable transition described here.

And just for the sake of completion to save comments on things I've already covered, we’re struggling to get traction with SSL because it’s still a premium service and no, Let's Encrypt is not a panacea to all our woes (as much as I love the idea), and for many cases, CloudFlare will be an easier and more effective proposition.

Security SSL
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals