Chrome adjusts HTTP security settings
Google have just announced a relatively major upcoming change for Chrome - as of January 2017, they’ll be adding a new security indicator for HTTP sites handling passwords and credit card data. HTTP sites aren’t truly secure - it’s possible for cybercriminals to alter the content that gets displayed by using a MITM attack.
A Man In The Middle (MITM) attack essentially involves a person getting in-between two communicating devices, intercepting the information transmitted between the two. Beyond that, information from one end may be altered - a site may be edited to appear legitimate, but actually transfer data to a third party, as an example.
Being able to edit sites which handle credit card information and passwords has some obvious applications for criminals - they can steal the information that users input, syphoning funds or taking over accounts. Because of this (and various other vulnerabilities), it’s a fairly good rule of thumb that you shouldn’t use credit cards on HTTP sites at all.
Sites which use HTTPS certificates, however, can’t be edited in the way that HTTP ones can. While there may still be security issues, you can be sure that you’re seeing what you’re meant to be seeing.
Future Chrome changes for HTTP certification
Most modern browsers already indicate if a site’s using HTTPS: on the left hand of the address bar, you’ll see a padlock symbol - if it’s green, the certificate’s valid, while yellow and red icons indicate security issues.
With the release of Chrome 56 in January 2017, HTTP sites which handle passwords and financial information will also start displaying icons, warning users that the site is non-secure, and hopefully making them think twice before entering their details.
While only sites using passwords and financial information will be affected by the change in January, Google’s announced that they plan to eventually label all HTTP sites as non-secure, pushing people to upgrade to HTTPS certification. It’s worth reiterating that this change is exclusively for Chrome, but it wouldn’t be particularly surprising to see Firefox and other browsers adopt the labelling over the next few months.