CNET también está disponible en español.

Ir a español

Don't show this again

Security

​Chrome to warn when insecure websites expose your passwords

Google believes unencrypted websites are fundamentally flawed and should be banished. It's enlisted its own web browser to spread the message.

​Chrome eventually will warn that any unencrypted website is insecure.

Chrome eventually will warn that any unencrypted website is insecure.

Google

Google's Chrome browser soon will begin warning you when websites aren't securing your passwords or credit card numbers properly, an early step in the company's plan to fundamentally change how we view encryption on the web.

Encryption scrambles data so eavesdroppers can't understand information being sent to or from your web browser. It also keeps people from modifying websites -- for example, by inserting their own advertisements. And it makes life harder for police investigators and spies, which is why law enforcement and surveillance authorities have been trying to find ways around encryption.

Google wants encrypted websites to become the norm to improve privacy and security, and it's using its browser to push that agenda to hundreds of millions of people who use it. Starting with Chrome 56, due in January 2017, the browser will present a "not secure" alert on websites that handle passwords and credit card numbers insecurely.

It's a small, not terribly controversial change. Website encryption was invented more than two decades ago precisely so this kind of information could be secured to enable e-commerce. But this is just a first step in Google's plan to get us all to think of unencrypted websites as flawed, not ordinary.

The FBI may not like it, but Google's pro-encryption stance is increasingly common. As we live more and more of our lives online, building better privacy into the global internet seems sensible.

To fetch website content from where it's stored on a web server, your browser uses the foundational technology called HTTP, or Hypertext Transfer Protocol. For encrypted website communications, though, browsers use a secure version called HTTPS. To encourage website developers to move from HTTP to HTTPS, Google gradually will spread the Chrome "not secure" warning to any website delivered over HTTP, not just those with passwords and credit card numbers.

"Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections," said Emily Schechter, a member of the Chrome security team, in a blog post Thursday. "When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."