Can you shame website administrators into making their sites more secure? That's what Google will soon start doing through its Chrome browser, which now prominently identifies sites that are not secured with HTTPS encryption.
The Chrome security team in 2014 proposed marking sites that do not use HTTPS as insecure. The goal, developers said, was to make it clearer to users that those sites do not protect data.
Google has now announced plans to begin implementing these warnings by displaying a red X in the Chrome toolbar when users visit a site that doesn't have HTTPS encryption.
We're not talking here about HTTPS-encrypted sites that have invalid certificates or other configuration issues. For years, most major browsers have warned about mis-configured HTTPS -- and most users have dutifully clicked through the warning pages without taking action. But at least they were warned.
The new Chrome feature will theoretically help users to know when sites they visit may be subject to weak security. Of course, since the average Web user probably does not understand much about SSL authentication, this change seems unlikely to stop users from doing what they already do when they visit a site whose security may be suspect.
The bigger impact of Google's move is therefore likely to occur among website administrators. Now, Chrome will call them out when they opt not to encrypt their sites using HTTPS. Whether their users are likely to care or not, the change gives the people on the backend one more reason to consider adopting HTTPS.
Not that that's always free and easy, of course. And personally, I don't have any plans to add HTTPS to my personal website in the foreseeable future. But maybe Google will be successful in prompting site administrators more responsible than me to make a change.