New issue
Advanced search Search tips
Starred by 48 users
Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug
Team-Security-UX

Blocked on:
issue 578322
issue 444242
issue 513863
issue 585670
issue 585671


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment
Marking Non-Secure Pages Non-Secure ("Marking HTTP as Bad")
Project Member Reported by lgar...@chromium.org, Jan 16 2016 Back to list
Our goal is to mark non-secure pages like HTTP using the same bad indicator as broken HTTPS, since this 1) is more accurate than marking such pages as neutral, and 2) simplifies the set of security indicators.

Original announcement: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Field Trial (and chrome://flags):  Issue 444242 
Marking Dubious as Neutral:  Issue 513863 

For Googlers: internal documents about this effort are collected at [1].

[1] https://drive.google.com/corp/drive/folders/0B1kg1oK-WfnufmdveUhFNTBvMzcwNkRfaDZFUkFJV2RjRGRZY0p1dTY0UnpkRWlkS3pUSVU
 
Blockedon: chromium:578322
Cc: igrigo...@chromium.org
Comment 3 Deleted
Comment 4 Deleted
Comment 5 by konkl...@gmail.com, Feb 1 2016
> Maybe let users opt into it, or make alerts slightly more visible, but not a full screen.

For the benefit of others viewing/watching the thread - the proposal is not for a full screen or interstitial, but to change the "security indicator" (next to the URL, where the lock icon is for HTTPS sites).
Re #5: Thanks for reiterating that.

To anyone who cares about this topic: This issue is meant for long-term issue tracking of the implementation. I don't want to restrict commenting on the bug, but I will delete comments that aren't specific to the issue – please focus the discussion of technical UX aspects.
Comment 7 by palmer@chromium.org, Feb 10 2016
Blockedon: chromium:585670
Comment 8 by palmer@chromium.org, Feb 10 2016
Blockedon: chromium:585671
Comment 9 by palmer@chromium.org, Feb 10 2016
Cc: ainslie@chromium.org f...@chromium.org maxwalker@chromium.org
Some thoughts:

- We have implemented marking HTTP as non-secure, but the UI currently has a bunch of edge cases, and doesn't match up with DevTools. It would be nice to make sure that we can support marking HTTP as non-secure as a first-class mode.
- In order to get more exposure and feedbck in the field, what about trying to get certain populations to try it out? For example, perhaps we could convince some security-conscious enterprise customers to set this for all their computers.
Labels: ConnectionInfo
Cc: palmer@chromium.org
Owner: emilyschechter@chromium.org
The project is currently in planning land. :-)
I am a web developer and I was talking with a hosting provider we use for marketing sites and blogs, as we were discussing opening a new account we were told that google was looking at enforcing SSL or a dedicated IP address on each site otherwise you would be penalized. 

As I was doing more research on this I found this article.


If this is real and google will serously enforce this and penilize sites in my opinion it would be the STUPIDIEST (sorry) thing google has ever done. 

The reason why google's search engine is so big and popular as we all know, is for the quality of the results shown. This results are based on content and relevance. There are millions of website which contain the answers the user is looking for and most all of them dont have the budget to pay for an SSL cert a year. 
Google will loose this sites, its credibility and quality of results. I would personally move to Bing and will make sure to explain all my followers why. 

I cannot believe this is being considered. 
I'm sorry about the comment above and the frustration shown in it. I am just really upset and surprised this is being considered. 
Comment 15 by jww@chromium.org, Sep 15 2016
To be clear, this project has nothing to do with Google Search. This project is strictly about how the Chrome browser indicates the status of a page you're on (i.e. the lock icon next to HTTPS in the URL bar).
> most all of them dont have the budget to pay for an SSL cert a year

As jww already pointed out this is completely off-topic (is there a better place we can move this discussion to?), but for what it's worth you can get an SSL cert completely free with Let's Encrypt, so the cost of the certificates themselves shouldn't be an issue.
Components: -Security>UX UI>Browser>Omnibox>SecurityIndicators
Labels: -ConnectionInfo
Labels: Hotlist-EnamelAndFriendsFixIt
Sign in to add a comment