Please Google, Don't shame HTTP (yet)
February 1, 2016
Last week there was a big hubub around the revelation that “Google Will Soon Shame All Websites That Are Unencrypted". People were freaking out and cats and dogs were running loose in the streets. Sheer pandemonium. The reality was that Google didn’t announce it, but someone talking at a conference had the feature flag turned on in Chrome. Google did explain that they wanted to do this eventually for “security” reasons, which makes sense when you dive into the topic. At first as a security conscious person I thought this was a great idea, after all HTTP is inherently not secure. However engineers need to step back and think about this from a user perspective. There is one truly key problem with a red-lock for all HTTP: Alarm Fatigue.