In 2014, Google Chrome Security Team expressed their intention to mark both, broken HTTPS URLs and HTTP websites as being non-secure online resources. Since HTTP is the only non-secure online resource that remained unmarked, the purpose of this marking is to clearly inform users that HTTP websites don’t provide any security for their data. This information would help users decide whether they want to continue using a website or leave it. The Chrome Security Team came up with this project because they think that by displaying the same red “X” flag on HTTP websites’ address bar, just as a red “X” is displayed for broken HTTPS links, users will get more accurate security warnings than just keeping HTTP pages as neutral. Google’s latest tool, Security Panel in DevTools is another important step towards full web encryption.
Security Panel in DevTools
Besides simplifying a set of security indicators received by users on their browsers, the use of this red “X” indicator aims to increase the users’ security awareness. New cyber threats show up each week. So, displaying security warnings should become a common practice for website browsers. In this way, the web browsers can properly educate their users about the importance of cybersecurity. Even though Google won’t mark HTTP websites with scary warnings like phishing websites, some online users think that a red “X” may change the users’ habits about ignoring HTTP websites’ warnings because they will simply appear to often.
This Google move is a part of their ‘HTTPS Everywhere’ campaign, following their latest decision of boosting search engine’s rankings for HTTPS domains. It still not clear when the Google Chrome Security Team will implement this update. Currently, Chrome users can test the new red “X” flag for HTTP websites by accessing this Chrome flags link and change the default setup for the experimental feature that says “Mark non-secure origins as non-secure” to the option with the same name.
Moreover, by launching the Security Panel in DevTools, Google made its first steps towards the red “X” implementation. The Security Panel helps webmasters to know more about their website’s origins, their connection information, and the existing errors. This will help you as a website owner to find out what is stopping your website from displaying the padlock on Google Chrome’s address bar.
Each selected page in the DevTool’s Security Panel displays the following information:
- The verification of your certificate: it shows the padlock if a valid SSL/TLS Certificate secures your website’s connection;
- Your TLS connection: it indicates the padlock mark if your website uses a strong, modern secure protocol and cipher suite;
- The security of your subresources: it will display the padlock only if all your subresources are HTTPS. Otherwise, if you mix your content with HTTP images on an HTTPS web page, then a warning will appear along with your HTTP subresources. By clicking on the warning you’ll get in-depth details about the certificate, connection, and security state.
The launch of the Security Panel in DevTools is the next step in Google’s “HTTPS Everywhere” goal. It will give developers more detailed guidelines on how to make their web connections more private and secure. But more than that, it is a tool for supporting and preparing webmasters and users for marking HTTP websites as being bad. By securing your website using SSL/TLS certificates, you can protect it from being marked as Not Secure in the future, and avoid additional migration costs.