I doubt Chrome's new 'not secure' warning about HTTP sites will change much (at least right away)

July 24, 2018

In theory today (July 24th) is the start of a HTTP apocalypse, because Google has launched Chrome 68 and Chrome 68 labels all HTTP sites as 'not secure'. More exactly, it adds a 'not secure' label to the URL bar (or omnibox, if you prefer that term). It's possible that Firefox will follow now that Chrome has led the way on this and in any case Chrome apparently has about 60% of the browser market, so its decision here affects a lot of people. However, I don't think this is going to be as big a deal as you might expect (and as some people fear) for three interlinked reasons.

The first reason is the same fundamental issue as the one affecting EV certificates, which is that all this is doing (right now) is changing the URL bar a little bit. We have pretty good proof (from EV certificates among other things) that very few people pay much attention to the URL bar, and the 'not secure' is even less prominent than EV certificates were (EV certificates at least used a different colour). It seems fairly unlikely that people will even notice the change, which is an obvious prerequisite for them caring.

The second reason is that people mostly don't care about this. When people go to a website, it's because they want to see the website, and they really don't care about anything in the way (as we have seen in the past when browsers let people easily override TLS certificate warnings). There aren't likely to be very many people who will change their behavior because they're suddenly being warned (a very little bit) that their connection is 'not secure'. Without the users visibly caring, many sites will not have much extra motivation to change.

(They'll have some extra motivation; the 'not secure' is a nudge. But it's not a really strong nudge, at least not now.)

The third reason is that plenty of sites are going to remain HTTP (and thus 'Not secure') for a great deal of time to come. For many people, this will make the 'not secure' label a routine thing that they see all the time, and routine things rapidly lose any power they might once have had. If even a tenth of your web browsing is 'not secure' and nothing particularly bad happens, you're likely to conclude that the 'not secure' warning is unimportant and something you can freely ignore. This feeds into the other two reasons; unimportant things get ignored, and if you are one site in a crowd of many, why go to much work to change (especially if no one seems to care).

I understand why Google and other people are enthused about this and I think it's a positive step forward to an all-HTTPS world. But in my opinion the 'not secure' label is only the tip of the iceberg as far as its importance goes and we shouldn't expect that label to do much on its own. I suspect that the long run importance of this will be how it changes the attitudes of web developers and website operators, not any changes in user behavior.

(To put it one way, the 'not secure' label is the surface sign of an increasingly broad consensus view that HTTP needs to go away (for good reasons). That we have gotten far enough along in this view that the Chrome developers can make this change without facing a big backlash is the big thing, not the label itself)


Comments on this page:

By Nick at 2018-07-25 12:45:49:

HTTP needs to go away

We do seem to be headed there, i.e. to a future when your domain may publish on the web only with the permission of a CA. For a preview of this new world see

https://scotthelme.co.uk/the-power-to-revoke-lies-with-the-ca/

Written on 24 July 2018.
« Some notes on lifting Python 2 code into Python 3 code
One advantage of Go modules will be less mess in $HOME/go/src »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jul 24 23:10:40 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.