80

Chrome 68 new security feature

I absolutely love the new feature which is showing:

Not Secure - grey

on all non-HTTPS sites as of Chrome version 68.

Though, I would like it in red color for my mother to see clearly whether she is shopping on an at least communication secured site.

Do I have such option somewhere?

Canadian Luke
  • 24,199
  • 39
  • 117
  • 171
Vlastimil Burián
  • 3,887
  • 11
  • 41
  • 65
  • 8
    Worth noting that this will be the eventual default behaviour: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html – RedRiderX Jul 25 '18 at 15:11
  • 46
    Give the continued pervasiveness of non-HTTPS sites, don’t you fear that the high false-positive rate will numb your non-tech-y mother, training her to ignore the warning sign? Imagine every intersection had “STOP” signs. People would learn quickly to ignore them (this is altogether non-hypothetical). – Konrad Rudolph Jul 25 '18 at 15:36
  • 3
    It would be nice if it could be yellow instead of red. While I am of the opinion that "if it's on the wire it should be encrypted", a non-https site isn't automatically *insecure*, it's just not encrypted. If you're doing nothing but looking at stuff then you're not risking anything. – Petro Jul 25 '18 at 15:41
  • 4
    @KonradRudolph I told her literally, don't buy anything on the "red" shops and don't enter any sensitive information there, otherwise their Ok for weather forecasting and such normal things. – Vlastimil Burián Jul 25 '18 at 15:47
  • 4
    @Petro: If that were true, every major browser wouldn't be moving towards this model! You're still vulnerable to injection attacks from your gateway or ISP over http, never mind other users of the same network. ISP-level injection in particular happens a _lot_ on some networks. – Phoshi Jul 26 '18 at 12:47
  • 1
    @KonradRudolph: Not only that. It also communicates that other sites _are secure_ when in fact they are not (all that's there is a certificate which you can buy for 2-3 currency, or meanwhile get for 100% free), and web browsers, this one included, do nearly everything to promote a maximally _insecure_ web. Before worrying that the NSA might track what mostly uninteresting stuff you read on SO or on Facebook, one should worry why every darn website _must_ run a dozen scripts in your browser, and why browsers need to allow scripts to do things that actually nobody wants them to be able to do. – Damon Jul 26 '18 at 13:05
  • @Petro Your point about being "on wire" is especially on point since using http to anything that resolves to the local host (e.g. 127.0.0.1) is by definition secure (\*), since it's *not* going over the wire. (\*) with regards to network transport, at least – Michael Jul 26 '18 at 17:13
  • While we're giving this man advice on how to educate his mother, I would say it's more useful to have an alert box when you actually submit data to a website: "Please note, this website is insecure, be careful not to share any personal information like your SCN or CC details from here." Why even bother caring if you're not submitting any data. – Coded Monkey Jul 27 '18 at 07:49
  • 2
    @CodedMonkey Because the page viewed may not be the one sent by the server. Content may have been changed, or malicious content may have been added. Chrome and Firefox are correct in their assertion that HTTP only is insecure, although the converse is of course not necessarily true. – pwdst Jul 27 '18 at 14:25

1 Answers1

124

Yes, we do have that option

Result

The result being all non-HTTPS pages in red color:

enter image description here

Setting it up

Access internal settings:

chrome://flags/

Look for:

Mark non-secure origins as non-secure

or use this direct link (thanks to Baptiste Candellier):

chrome://flags#enable-mark-http-as

And set it to:

Enabled (mark as actively dangerous)

HTTP in red color

Vlastimil Burián
  • 3,887
  • 11
  • 41
  • 65
  • 2
    **Warning: Upgrading to Chrome 68 deleted all my cookies and messed up some extensions.** Make a backup of your profile if you care and want to try this feature. – user541686 Jul 27 '18 at 08:44