Here’s how broken today’s web will feel in Chrome’s secure-by-default future

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings:

Here's how broken today's web will feel in Chrome's secure-by-default future

That’s just one of many such examples I’ve called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right.

But here’s the really interesting bit – that’s just the beginning because Google has a plan:

a long-term plan to mark all HTTP sites as non-secure

I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to “Mark non-secure origins as non-secure”:

Here's how broken today's web will feel in Chrome's secure-by-default future

And then we’ll do just that – flag them as non-secure. Now let’s go browsing!

It’s first thing in the morning, so we’ll kick off with a bit of international news:

Here's how broken today's web will feel in Chrome's secure-by-default future

Ok, browser warning there so not that trustworthy. Tell you what – Jony Ive put me in an Apple trance during the keynote last week so let’s go and check out the new shiny there:

Here's how broken today's web will feel in Chrome's secure-by-default future

Huh, warning there too, it could even be a fake Tim Cook since it’s loaded over HTTP so better move on. I get accused of being a Microsoft apologist sometimes so we’ll try them next:

Here's how broken today's web will feel in Chrome's secure-by-default future

Shit. Now I honestly expected them to load over HTTP and show a warning but since they redirect to HTTPS by default everything looks cool. This makes a different point though – this is what the new normal will be when the non-secure exodus kicks in. But you already know what a site loaded over HTTPS looks like anyway, let’s go for a fly instead:

Here's how broken today's web will feel in Chrome's secure-by-default future

Dammit! Ok, big warning symbol there so that’s no good. I’m sick of flying anyway, let’s find a nice car:

Here's how broken today's web will feel in Chrome's secure-by-default future

Alright, that’s it, definitely not buying a Ferrari via the browser now! But at least the warning symbol is red…

Maybe we’ll set our sights a little lower and do some eBay shopping:

Here's how broken today's web will feel in Chrome's secure-by-default future

Right, not so good. At least our banks will be good, right? I mean they’re the ones with the bank grade security:

Here's how broken today's web will feel in Chrome's secure-by-default future

It’s one of the biggest banks in the country! Let’s go bigger – let’s grab one of the biggest in the world:

Here's how broken today's web will feel in Chrome's secure-by-default future

This is really disheartening, I’m gonna go straight to the Prime Minister and make my feelings known:

Here's how broken today's web will feel in Chrome's secure-by-default future

Well that’s surprising, our government seemed to be so good at getting tech right too…

Not to worry, I reckon we can go even higher still, let’s hit up the UN:

Here's how broken today's web will feel in Chrome's secure-by-default future

Huh. Is it possibly just that these sites don’t know how to implement HTTPS? Let’s go see if we can find some good guidance on that:

Here's how broken today's web will feel in Chrome's secure-by-default future

Alrighty then. Tell you what – let’s go back to the site where I first read about Chrome’s upcoming change last week:

Here's how broken today's web will feel in Chrome's secure-by-default future

This is obviously intended to be a bit tongue in cheek but here’s the point: we are a very, very long way away from a “secure by default” web. Going HTTPS can be easy but it can also be a non-trivial exercise for the likes of Stack Overflow. We should all be going HTTPS only at the earliest opportunity, but the chances of seeing browsers do what they’re doing in the screens above in 2017 is near zero and frankly, at this rate even 2018 is hard to see happening. What the January change does is moves the needle just that little bit further around so that more sites use more SSL and better prepare the web for the inevitable transition described here.

And just for the sake of completion to save comments on things I’ve already covered, we’re struggling to get traction with SSL because it’s still a premium service and no, Let’s Encrypt is not a panacea to all our woes (as much as I love the idea), and for many cases, CloudFlare will be an easier and more effective proposition.

Leave a Reply

Your email address will not be published.