14 DAY TRIAL // Google has been pushing sites to start using HTTPS for a while now, hoping that it would help force the world to become more secure. Now, Google is marking newly registered sites that ask people to input login details and passwords over HTTP as unsafe.
According to security firm Sucuri, Google has been marking these websites as containing "Deceptive Content" when it detects code that's meant to trick users into revealing sensitive information. Most recently, however, the company has also started blacklisting the sites and adding the Deceptive Content flag to them even if they were clean and loaded no external resource.
The reason behind this move is that the websites only used the HTTP protocol, even if they contained any kind of login pages or password fields. All that Google waits in order to remove these flags is to receive an SSL/TLS certificate.
"Upon investigation, the websites contained login pages or password input fields that were not being delivered over HTTPS. This could mean that Google is expanding its definition of phishing and deception to include websites that cause users to enter sensitive information over HTTP," Sucuri notes.
A long history of SSL-support
Google has been pushing SSL as a best practice standard across the web for years now, so it's not exactly surprising that they're taking a much stronger stance.
For instance, back in 2014, Google said that HTTPS helped websites rank higher in their search engine results. Earlier this year, it rolled out the Not Secure label in Chrome when HTTP websites handled credit cards or passwords. Now you can see this mark in Chrome right next to the address field, alongside with warnings regarding the risks users take when visiting these unprotected sites.
At this point in time, as Sucuri notes, Google has the power to reduce a site's traffic by 95% with their blacklist warnings. This means that this latest move from Google may be the most effective one yet in pushing site admins to enable SSL.