Improving security warnings in web browsers

Lock

Currently web browsers don’t warn users about HTTP connections – the most insecure way to connect to a web page. Thankfully, this is changing.

Security warnings in modern web browsers are weird.

When you browse to your favourite online shopping checkout or your online bank account, you get a happy lock icon. That’s great. It reminds users they are on a secure webpage, that is properly configured, and should allow for end-to-end encryption of all data sent to and from that particular page. Excellent.

In addition, when you browse to a ‘secure’ website that’s been badly setup, not maintained or has an expired certificate, your browser will warn you. This may be as simple as showing a broken or crossed out lock icon. In severe cases, your web browser may blank the page and throw up a big red warning message detailing what is wrong with the website, allowing you to point your web browser elsewhere or continue if you’re convinced there is no risk. This is also pretty awesome. Your browser is telling you the page you’re on may not be secure, to what degree it is insecure and detailed the problem, allowing you, as the user, to make an informed decision. Fantastic.

However, what is rather odd is that when you are browsing non-secure webpages (HTTP rather than HTTPS), your browser says nothing. It doesn’t complain that your data is being transmitted in plaintext. It does not whine about your data being subject to being intercepted by anyone on the same WiFi network as you. When you type in your personal data, your credit card details or your passwords into one of these pages, your web browser does not even raise a metaphorical eyebrow to alert you of the dangers.

This should probably be changed.

The Chromium team, who are responsible for the Chromium web browser (on which Google Chrome is based), have made a proposal to do just this. Their proposal is that user agents (the technical term for web browsers) mark HTTP websites as ‘non-secure’. This would mean that when visiting a webpage over an insecure (HTTP) connection, you’ll be warned by your web browser in a similar fashion to when you are visiting a badly setup ‘secure’ (HTTPS) website. According to the proposal’s webpage, the Chrome Security Team intend to add this new feature over the course of 2015, gradually phasing in various levels of warning for browsing webpages over HTTP.

With all hope, we will see all other major web browsers follow suit. We can then all look forward to a more secure web, as more and more websites are highly incentivised to switch over to encrypted HTTPS connections.