Google vil mærke HTTP-sites som usikre fra januar

9 september 2016

Google har meddelt, at de vil mærke websites, der behandler følsomme oplysninger, uden HTTPS som "usikre" i Chrome fra januar 2017. Dette er en del af Googles mål om at anvende HTTPS som den nye standard.

Hvad præcist vil ændres?

Sikkerhedsindikatorerne er allerede blevet opdateret i den aktuelle version af Chrome, version 53, for mere tydeligt at informere besøgende om sikkerheden (eller mangel på samme) af en forbindelse til et website. En usikker forbindelse viser stadig en neutral meddelelse, selvom der er blevet tilføjet en informationsknap (mærket "i"). I version 56 vil Google tage tingene et skridt videre ved også at tilføje teksten "Usikker". Billedet nedenfor viser, hvordan et website uden SSL aktuelt vises, og hvordan det vil se ud fra januar 2017.

HTTP in Chrome 56

I version 56 er det HTTP-websites, der behandler personlige oplysninger, såsom adgangskoder og kreditkortoplysninger, som vil modtage en meddelelse. I det lange løb er det Googles hensigt at vise denne meddelelse på alle HTTP-websites, også dem uden formularer, der skal udfyldes. Denne meddelelse vil skille sig meget mere ud pga. dens røde farve og tilføjelsen af en advarselstrekant.

Chrome Non-secure warning


Det er allerede muligt at se, hvordan HTTP snart vil blive vist ved at ændre en indstilling i Chrome-browseren: Gå via chrome://flags til "Marker usikre oprindelser som usikre Mac, Windows, Linux, Chrome, Android" og marker valgmuligheden "Markér usikre oprindelser som usikre".

Hvorfor implementere disse ændringer?

Google har i længere tid arbejdet hårdt på at tilskynde brugen af SSL-certifikater, da de giver et mere sikkert internet. I flere år nu har bl.a. brugen af HTTPS på et website været en faktor i et websites rangering i Googles søgeresultater. Google fraråder også brugen af forældede certifikater.

Google erklærer, at en stor del af internettrafik er overgået til HTTPS og brugen af HTTPS fortsat vil stige, takket være disse foranstaltninger. Chrome er den mest anvendte webbrowser i dag, og mere end halvdelen af desktop-Chrome-besøg sker allerede via HTTPS. Siden offentliggørelsen af ​​"HTTPS on Top sites"-rapporten (HTTPS på topwebsteder) i februar i år er tolv nye websites fra top 100 begyndt at anvende HTTPS som den nye standard.

Google håber også at se andre browserudviklere begynde at anvende disse nye ikoner. Mozilla forventes at tage sin browser Firefox i en lignende retning.

Google has announced that it will be marking websites that process sensitive information without HTTPS as “non-secure” in Chrome from January 2017. This is part of Google’s goal to adopt HTTPS as the new standard.

What will change, exactly?

The security indicators have already been updated in the current version of Chrome, version 53, in order to more clearly inform visitors about the (non-)security of a connection to a website. A non-secure connection still shows a neutral notification, although an information button (labelled “i”) has been added. In version 56, Google will take things one step further by adding the text “Not Secure” as well. The image below shows how a website without SSL is currently displayed and what it will look like from January 2017.

HTTP in Chrome 56

In version 56, only HTTP sites that process personal information, e.g. passwords and credit card information, will receive a notification. In the long run, it is Google’s intention to display this notification for all HTTP websites, even those without forms to fill in. This notification will stand out a lot more because of its red colour and the inclusion of a warning triangle.

It is already possible to see how HTTP will soon be displayed by changing a setting in the Chrome browser: via chrome://flags, go to “Mark non-secure origins as non-secure Mac, Windows, Linux, Chrome OS, Android” and select the “Mark non-secure origins as non-secure” option.

Why implement these changes?

Google has been hard at work to promote the use of SSL certificates for quite a while, because this leads to a safer internet. For several years now, for example, the use of HTTPS throughout a website has been a factor in a website’s ranking in Google’s search results. Google also discourages the use of outdated certificates.

Google claims that, partly thanks to these measures, a large part of internet traffic has transitioned to HTTPS and that the use of HTTPS continues to rise. Chrome is the most-used web browser these days and more than half of the desktop Chrome visits are already made via HTTPS. Since the publication of the “HTTPS on Top sites” report in February of this year, twelve new websites from the top 100 have adopted HTTPS as the new standard.

Google hopes to see other browser developers adopt these new icons as well. Mozilla is expected to take its browser Firefox in a similar direction.

SSLCheck

SSLCheck kontrollerer, om dit certifikat er korrekt installeret på din server og om der potentielt er problemer.