Starting in July, any site that’s not protected with encryption will show as “not secure.” Too bad for politicians who want to be able to crack encryption.
Eight years ago, it was an aggressive move when Google started pushing its popular Gmail service over an encrypted connection by default. Four years ago, it was a bit less surprising when it made encryption the only option for Gmail. And now it’s taking the next step in trying to curtail eavesdropping: using its Chrome browser to label as “not secure” any website that’s not encrypted.
The move will fulfill a promise — OK, maybe it was more of a threat — Google made three years ago. The company said the day would be coming, but on Thursday it told website publishers and Chrome users the deadline: the release of Chrome 68 in July.
If you’re a Chrome user, and there are good odds you are since it’s the most-used browser these days, you shouldn’t freak out when you start seeing lots of “not secure” warnings to the left of the browser’s address bar. They’re most likely flagging unencrypted websites you’ve already been visiting without your digital world collapsing — you just didn’t know there was no encryption.
In the early days of the internet, encryption required more-powerful computing hardware, slowed down communications, and required websites to pay for expensive encryption certificates. But those performance problems are largely gone, and efforts like Let’s Encrypt now make the certificates free.
And there’s good reason to add the encryption. Obviously, you need it if you’re typing your password into a website — that’s where Chrome first started offering its warnings a year ago. But even with seemingly ordinary websites, where you might not think you have anything to hide, encryption is a good idea.
For one thing, encryption keeps malicious actors from messing with webpages — for example, inserting ads or altering websites to send you to a bogus sign-in page. For another, even looking at particular news stories or Wikipedia pages can reveal personal information to advertisers or, in some parts of the world, political surveillance agents.
Encryption makes life a lot harder for authorities accustomed to the old days when they could wiretap phones and simply record conversations. Indeed, FBI Director Christopher Wray in January railed against unbreakable encryption, a common refrain among politicians and law-enforcement officials.
The only problem with such requests is that there’s no way to make encryption breakable for legitimate investigations without breaking it for logging in to websites, buying shoes on Amazon, and protecting privacy. For that reason, encryption luminaries and Silicon Valley companies have steadfastly maintained opposition to weakening encryption.
Other browsers are pushing encryption with measures similar to Chrome’s. And they’re also pushing website developers by offering some new web technology only when websites are encrypted.
Encryption is now ordinary. According to Firefox statistics, 70 percent of webpage visits now are encrypted, up from about 28 percent three years ago.
Google announced the move on its Chromium blog, offering tips to web developers who have to wrestle with the transition. According to Google’s measurements, 81 of the top 100 websites today encrypt websites by default. More than 68 percent of traffic on Chrome for Android and Windows is encrypted now, and the figure is even higher, 78 percent, for laptops running Apple’s MacOS and Google’s Chrome OS.
“Developers have been transitioning their sites to HTTPS [encryption technology] and making the web safer for everyone. Progress last year was incredible,” Emily Schechter, Chrome’s security product manager, said in the blog post.