Chrome browser flags popular sites as ‘not secure’
Published by the BBC on 24 July, 2018.
Security warnings will pop up on the Daily Mail website today if visitors are using the latest version of Google’s Chrome browser.
It is one of many sites the browser will flag because they do not use HTTPS – the secure version of the web’s underlying data transfer protocol.
Many sites have switched to this version to protect visitors against data theft and hijacking.
About 20% of the world’s top 500 websites are using HTTP.
The HyperText Transfer Protocol (HTTP) defines how data is passed around the web. The “S” in HTTPS stands for “Secure” and ensures that data is encrypted before it travels.
In the UK many other sites, such as Sky Sports, Argos and Boohoo have also not yet adopted HTTPS.
There is no evidence that any of the sites which have not made the change to HTTPS are currently subject to attacks that abuse insecure data.
Why does it say the sites are not secure?
It’s because they do nothing to scramble the data passing between you and that website.
According to statistics gathered by security researcher Troy Hunt, more than half of all the web’s top one million sites have not flipped to HTTPS.
Mr Hunt has launched a site called WhyNoHTTPS? that lists the world’s most popular websites that are not using it. The list draws on statistics gathered by British security researcher Scott Helme.
The Daily Mail tops his UK list as the busiest site to lack the protective measure.
Other big names on the list include Chinese messaging firm Tencent QQ, block-building game Roblox and sports broadcaster ESPN.
And while BBC News’ pages do use HTTPS, some of the broadcaster’s other sites have not implemented the measure, including its BBC America pages.
Why are these warnings appearing today?
It is not because anything on these sites has changed. It’s because today is the day Google updated to Chrome 68 – which has been changed to flag HTTP-only sites.
Google began the process of warning people about sites that use HTTP in early 2017. Initially the “Not secure” warnings were only used on sites that collected passwords or credit cards. Firefox and Safari added similar systems about the same time.
Now all sites that have not switched will be flagged by Chrome. The other big browser makers are expected to follow soon.
Others – including governments – are joining the push for HTTPS. The UK’s National Cyber Security Centre recently issued advice saying that all sites should use HTTPS.
In addition, the Let’s Encrypt project aims to make it easy for small sites to adopt it by publishing easy-to-follow guides and tools that simplify the process.
Is my data at risk?
Mr Hunt, and many other security experts, have demonstrated ways to hijack and redirect users if they only connect to a site via HTTP.
Without HTTPS, data is effectively broadcast as it travels back and forth across the web. There are circumstances that cyber-criminals can exploit to intercept that information, abuse it to steal data or insert their own code or malicious adverts.
It is not clear how many criminals are using these methods to fool users and steal data, but several successful campaigns have been spotted that use these techniques.
There is no suggestion that the sites currently only using HTTP are subject to attacks targeting insecure data.
Also, many sites are now rapidly adopting HTTPS as a result of a growing consensus around its use. Mr Hunt’s list of insecure sites is regularly updated, but some sites on it, such as JustEat and Sage.com, have already adopted HTTPS.
Should I avoid sites that are flagged as not secure?
No, but you should be wary on those that require you to sign in or which let you buy goods and services through them.
To stay safe, pick a hard-to-guess password and ensure your browser and other software on your device are up to date. If there are other methods you can use to secure transactions, such as two-factor authentication, it could be well worth adopting them.
If you run your own website then it has got a lot easier to adopt the technology to help protect visitors.