The worst case outcome is Google scaring people away from sites that don't need to be secure.

Exactly. Geezopete.

If they do something like this, it would be better that it is limited to pages that post the content back using forms or similar. As mb and netmeg say - if the page does not need to be secure, why scare user away (and most would not know any better).

How would this affect Adwords if it is perceived that Google is sending users to pages that then show as non-secure in browser?

This sounds like a really bad plan, unless they plan on applying it only to specific search phrases that are likely to result in the exchange of financial information (ecommerce, credit card applications, and things like that).

Bad idea. Many users will think that "non-secure" means "infected with viruses" or "may harm your computer".

As long as they want to scare users, why not warn people about sites that plant cookies or use tracking code? :-)

Google already includes https in the url of listings and most browsers display a secure lock icon. Why is there a need to punitively mark sites as non-secure? I would think if full disclosure and protecting users is important, Google should disclose their relationship to websites in the search results they display (paid and organic). That's what I call transparency and information users would find useful and rather enlightening.

I see two practical problems with the proposal (my apologies for the alliteration):

1) Visual clutter (the Web equivalent of "sign pollution") tends to be counterproductive. The more cluttered the browser interface becomes, the more likely it is that users will ignore icons, labels, etc.

2) Giving mafia-scam dot com a green light because it used HTTPS could easily create a false sense of security for the user. (It's easy to imagine a scenario where crooks would take advantage of a "This site is secure" icon or label.)

Side note: Just because the Chromium Security Team has floated this idea doesn't mean it will become a reality. I'd guess that the idea probably wouldn't survive user testing, but in the meantime, it's probably useful (from Google's point of view) if it encourages site owners and developers to consider using HTTPS.

Secure (valid HTTPS, other origins like (*, localhost, *))

I'm tickled by the implication that google is planning to index my personal hard drive-- which would be the least secure thing in the world if any passing search engine could poke around at will. But I don't suppose that is what they meant.

limited to pages that post the content back using forms or similar

Even then, not all POSTs are alike. Hate to break it to you, dear user, but spammers already know your email address.

I'm tickled by the implication that google is planning to index my personal hard drive

The way I understood, it is not Google SERPs that would display "site secure" icon. The proposal is that User Agents do it, therefore it would be shown in browser next to the address bar, based on what the browser shows.

So if you use browser to open a file on your hard disk (e.g. your local version of .html page or even an image you have locally and decide to view it using a browser) and likewise, if you use "localhost", it would get marked as "secure".

Unless there is a hidden goal, it would not be a good marketing strategy for Chrome browser:

Customer: "I see your website shows as not secure?"

Business: "Chrome is broken. View our website in Firefox, IE, Opera, or Safari."

^^^ The proposal is for all browsers to align on this.

Yes, this is a browser-specific proposal: In this instance, Chrome.

Google's initiative, imho, comes from the top. The company wants to protect its own data from hacking, and it's in their interest to encourage all sites to go https. See this thread [webmasterworld.com...]

I do not believe it would be a good move unless it was fully understood what was meant by security.

I agree, the general public do not fully understand that, and the result of such action would make sites look bad, and ultimately it would affect traffic of http sites.

So many smaller sites, already under pressure, would suffer further should this proposal go through.

But why in the world would Google, of all people, believe that the average user even looks at their browser's address bar? The trend is toward giving less information, for example by displaying only the hostname (omitting both protocol and path), and by blurring the difference between address and search.

Even if you're paying attention, you probably don't really notice security-related stuff unless the browser puts up an alert involving mixed content or an unknown/expired certificate. And, come to think of it, I have no idea how the ordinary human responds to this type of alert. (For present purposes, nobody reading this thread counts as an ordinary human.)

Don't know, but I'm pretty sure even my 84yr old mom would respond to something that said "non secure" when visited a site.

and guess who she'd be responding to to come fix it, too?

It's such an absolutely moronic and unnecessary idea it'll probably pass and give us just what we need: another round of headaches for everyone, courtesy of Google!

So..G are going to warn surfers when adwords lead to non HTTPS sites are they ? ..Hmmmm..I thought not..

There would be so many warnings that users would just become blind to it and thus decrease the effect when real security issues are highlighted by the browser.

That alone makes it a really bad idea but then again google rarely applies common sense to it's ideas.

So..G are going to warn surfers when adwords lead to non HTTPS sites are they ? ..Hmmmm..I thought not..

Not exactly. AFTER the user lands on Adwords landing page, if the page is HTTP, it will show as "not secure" probably somewhere next to (or as a part of) the address bar.

Think kind of the opposite to how the green bar for HTTPS page is currently displayed .

I have added the clarification to Neil's opening post.

so Google are trying to set www standards now ?

I can see some sites with deep pockets that would sue them back to the garage if they add "non-secure" or "unsecure" next to their site in the address bar..Not all the really big money corps have sites that are HTTPS..and I suspect that in the EU such a move would result in yet another smack from the legislators..

Libel laws and defamation of character can be applied to corps and organisations as well as individuals, writing "non-secure" or "insecure" next to links in serps or in the address bar would seem to constitute libel and defamation of character, damaging to company, organisation, personal reputation, with loss of trade etc ..

Hiding the definition of "non-secure" or "insecure" behind another click or in the small print would not make it more legally acceptable..except maybe in G land..

Apparently the slight rank boost Google promised was not enough to compel people to make the switch to https. The carrot obviously did not work so it's time for Google to use the stick and give non-https websites a black mark/strike against them.

I can see some sites with deep pockets that would sue them back to the garage if they add "non-secure" or "unsecure" next to their site in the address bar.

The Chrome browser team's proposal is just that: a proposal. It could be revised and implemented in any number of ways.

For example, what if Google Chrome showed the word "SECURE SITE" next to the existing padlock icon and displayed the whole address line with a green background, a smiley face, and a flashing thumbs-up sign? Non-HTTPS sites would have a tough time winning defamation lawsuits, because Google wouldn't be commenting negatively on their sites: It would just be showing its love for sites that did use HTTPS.

Cute idea, but that really is a desperate "what if" to counter with..
What if they said "visit this site and we'll save a kitten from the pound", or "if they added " eco friendly next to the padlock" would be equally as silly to posit..

Or "visit this site and we'll give you a free pony", or "visit this site and we'll give you the moon on a stick"
( the char count might be a bit long on that one to fit in the address bar along side the padlock and the URL though ) ..

Better ( and more realistic) to stick to discussing what they have said is their proposal, rather than trying to hand them passes based upon what they might say or show..

The cert authorities might also wish to comment about what G think is a good idea, and as someone said elsewhere ..the first time that someone got infected etc from a site that G had given an "extra seal" of approval over and above the one other browsers get..G would also be risking being sued..especially in the USA ( which is very very litigious )..I suspect G will think a bit more about this one ..and say ..whoops..nope ..forget we said that..or restrict it to the USA only..and then they might run afoul of international trade agreements and "interference with trade" etc ..

If they do try this ..I'm making popcorn..:)

[edited by: Leosghost at 3:00 am (utc) on Dec 18, 2014]

@EditorialGuy, please read the proposal OP is linking to carefuly.

It actually very explicitely says that they want to emphasise the HTTP site is not secure rather than emphasising a secure site (which is what is happening now). Emphasis mine:

...propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure.

It goes on further, suggesting that in time the secure sites (HTTPS) will not be marked as they are now (for instance, no green bar or paddlock) and instead HTTP sites will be marked as non-secure by browser(s):

Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins

Therefore, regarding this from your post:

Non-HTTPS sites would have a tough time winning defamation lawsuits, because Google wouldn't be commenting negatively on their sites

In fact they are proposing exactly opposite of this - HTTPS to be "Business as usual" and show nothing, whereas HTTP would show "not secure".

Would make browser exploits ( changing what and how the browser operates and what it displays catastrophic ) if they went with what they are proposing..and chrome has had some vulnerabilities, as have the platforms that it runs on, and no doubt others will be found if the stakes are high enough to make the exploit writers time and effort worthwhile..

The cert authorities who currently issue ( and charge for ) the green bars and the padlocks will not take kindly to G trying to remove their revenue source..

aakk999, it's merely a proposal. Remember, too, that it's a proposal for "UA vendors," which means it requires buy-in from people outside Google. That's why the proposal states:

We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.

What's more, it's entirely possible that, by the time this proposal is implemented (if it ever is), HTTPS will be a lot more widespread than it is now.

...it's merely a proposal.

For other browser vendors. Not for Chrome.

What's more, it's entirely possible that, by the time this proposal is implemented (if it ever is), HTTPS will be a lot more widespread than it is now.

HTTPS better take off quick for that to be the case...

Emphasis Added

We intend to devise and begin deploying a transition plan for Chrome in 2015.

What do they mean by transition plan?

...the transition plan could be time-based:

T0 (now): Non-secure origins unmarked

T1: Non-secure origins marked as Dubious

T2: Non-secure origins marked as Non-secure

T3: Secure origins unmarked

On topic, Google, I appreciate the focus on security, but stop deciding to simply implement however YOU THINK the web should be working. Ok, technically, it's just a change in the browser, but the semantics are obviously meant to "encourage" everyone to switch to HTTPS. However a good idea some of us think that is, it's not up to you.

This is why people are getting freaked out about the power you hold. You're starting to demonstrate that you're not afraid to *use* that influence to simply push things to work however you want them to. You've already done that once already by pushing forward an SSL-related change far ahead of when it really needed to be, and now it looks like you're floating a trial balloon to go one step further.

Am I overreacting here? Or is Google going too far, too fast with this?