Chrome fans might have noticed a little change in their browsers today. Assuming you’re running Chrome’s latest iteration, version 68, you’ll now see a big “not secure” button in the address bar whenever you pull up a website that starts with http:// instead of https://. (For what it’s worth, I’m using Chrome version 67.0.3396.99, and it pops up there, too, whenever a page has a data entry field.)
Will you ignore this warning? Probably. Should you? Probably not.
Web security expert Troy Hunt spells out why it’s important for sites to use HTTPS — that’s “secure” Hypertext Transfer Protocol — in this quick video below.
It’s absolutely worth watching, but here’s the short version: It isn’t that difficult for companies, hackers, or anyone else with a vested interest in your web travels to notice your HTTP request, like when you want to visit a particular website; intercept this request; and then modify it with something you didn’t want, such as advertising, a pop-up or a different website entirely.
Most websites are pretty good about redirecting you to their HTTPS versions when you type in a simple domain name: Amazon, Microsoft, Tumblr, Lifehacker, et cetera. But there are plenty of websites that don’t do this, and Hunt has created a website of his own to track these offenders — Why No HTTPS?
On it, he’s listed out the top 100 websites in the world that don’t automatically redirect to an HTTPS version of the site when you enter their domain names. Offenders (and their Alexa ranks) include Baidu.com (#4), qq.com (#6), bbc.com (#105), espn.com (#136), foxnews.com (#211) and even speedtest.net (#237), to name a very few.
The frustrating thing is that some of these sites actually have secure versions; you’d just have to type in https:// and the domain name, rather than just websitename-dot-com to access it (unless it has some kind of a preference or setting that you can check to automatically redirect to the HTTPS version whenever you visit the site).
This trick doesn’t work with all sites, however. You can https://www.espn.com all you want, and you’ll still get redirected to a less-secure HTTP site.
When your favourite sites don’t support HTTPS — or so you think
I recommend grabbing the browser extension HTTPS Everywhere. It’s a great little tool, authored by The Tor Project and the Electronic Frontier Foundation, that tries to solve some of these issues by connecting your browser to the HTTPS version of websites whenever possible. It isn’t flawless, nor is it magical. As the EFF notes, it cannot create site security out of thin air:
HTTPS Everywhere protects you only when you are using encrypted portions of supported web sites. On a supported site, it will automatically activate HTTPS encryption for all known supported parts of the site (for some sites, this might be only a portion of the entire site). For example, if your web mail provider does not support HTTPS at all, HTTPS Everywhere can’t make your access to your web mail secure. Similarly, if a site allows HTTPS for text but not images, someone might be able to see which images your browser loads and guess what you’re accessing.
HTTPS Everywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can’t create them if they don’t already exist. If you use a site not supported by HTTPS Everywhere or a site that provides some information in an insecure way, HTTPS Everywhere can’t provide additional protection for your use of that site. Please remember to check that a particular site’s security is working to the level you expect before sending or receiving confidential information, including passwords.
If you’re just clicking mindlessly through sites in your browser, you probably don’t need to care that much about HTTP versus HTTPS — not unless you start experiencing something strange during your browsing session. At least, that’s how SecurityMetrics analyst Brand Barney phrased it in a 2014 blog post: “If you are just browsing the web, looking at cat memes and dreaming about that $200 cable knit sweater, HTTP is fine.”
So, checking sports scores on ESPN at home — probably fine on the site’s less-secure connection. If you’re logging in to your ESPN account in a cafe, I’d be a little more nervous (and probably not do it).
If I just couldn’t resist, I’d make sure my ESPN login credentials weren’t the same as anything else I use for any other sites or services, and I absolutely wouldn’t enter my credit card information to buy anything on ESPN’s site (if you can even do that).
In other words, HTTP likely won’t give you issues for casual browsing, but once you start inputting information that you wouldn’t want others to have — passwords, payment information, your address and so on — you’d be foolish to do it on an insecure connection.
Worse, you don’t want to be sending that information across an insecure HTTP connection on an open wireless network, at your cafe, or anywhere else where a lot of people you don’t know on the same network could be cyber-eavesdropping what you’re up to.
Even though a majority of websites have moved to HTTPS, you’ll also want to make sure you’re paying more attention to Google’s callout in Chrome. In a perfect world, Google would make the “not secure” icon red and blinking to get your attention when you’re about to do something you shouldn’t on an insecure website, but a larger indicator in the address bar is better than nothing, we suppose.
The next time you’re about to buy something online, be sure to give the top of your browser a quick peek.