Encryption

Less Than One Month Until Google Chrome Marks HTTP Sites “Not Secure”

Share

This post was authored by Jason Wood, founder of Paladin Security, a host on Security Weekly and commentator on Hack Naked News. This post is sponsored by DigiCert.

 

There are a number of changes coming up to how Google Chrome warns people about the use (or lack of use) of encryption.  The most immediate change is that this July Google will release Chrome 68 and will put up a message saying “Not secure”.  That’s one short month until the change occurs and people start trying to understand what that means.  It also marks a series of changes that could lead to confusion among the users of Chrome.

First off, let’s see what this change looks like to the folks who use Chrome.  When I go to an unencrypted (HTTP) webpage using Chrome 67, I get a small icon of an “i” inside a circle.  If I click on the icon, a message is displayed saying my connection to the site is not secure.  In a month, this will be changed to “Not secure” as shown in the image below.

How Chrome 68 will treat HTTP web pages
Credit: Google Security Blog

That doesn’t look terribly alarming, but the verbiage could startle some people.  Anti-virus companies have long since marked web pages as safe or unsafe in search engine results.  Now the browser is essentially saying that the site is not safe.  This could cause some concern and an increase in calls going to help desks at companies.

Google’s reasoning for this change is that web sites are defaulting more and more to using HTTPS for their users.  Their feeling is that the days of only using HTTPS for login pages, e-commerce sites and other financial activity are in the past.  Now it’s time for everyone to step up their game and move everything to HTTPS.  This change is almost certain to cause more site owners to move to using HTTPS.  Not only will they get an SEO boost for using HTTPS, but now they will get shamed if they don’t use HTTPS.

But wait, there’s more!

This isn’t the last change that Google has in store for us either.  Google just announced this May that they are also changing how they handle HTTPS sites in September 2018 as well.  Chrome 69 will stop displaying the “Secure” verbiage in the address bar and just go back to the lock symbol.  Their plans are to eventually not display any indication at all when a site uses HTTPS and only highlight when they are NOT using HTTPS.  Here’s what you can expect to see in September.

How Chrome 69 will treat HTTPS pages
Credit: Google Chromium Blog

The changes don’t stop there either.  Chrome 70 will be released in October 2018 with more changes to security warnings.  In this release, Chrome will change the “Not Secure” warning to an alarming red whenever someone starts typing into a form or login/credit card field.  The apparent goal here is to catch people’s attention and make them evaluate what they are about to send to an unencrypted site.  This change will look like the image below.

How Chrome will alert users when typing into forms on HTTP pages
Credit: Google Chromium Blog

Preparing the Help Desk

So what’s the impact to us as security professionals?  First, we need to make sure our desktop support staff have been informed of the change and are ready to respond to questions.  It does not inspire confidence when someone calls up support and the expert on the other side is surprised by the change and is trying to figure out what is going on.  The support folks need to be prepared and ready to go.  They also need to understand that this only impacts those who use Chrome.  Users of Edge, Firefox, Safari, etc will not receive a change in how HTTPS sites are handled.  This will be something to deal with until these browsers decide to follow Chrome’s lead.

Migrating to HTTPS

Next, it is time to take a look at the sites your company is hosting.  Are they using HTTPS?  Are they enforcing HTTPS?  If not, then it’s time to start asking what the impact of getting tagged with a “Not secure” label is in the address bar.  On top of what the end users think of this change, you need to be ready for what people inside the business will think.  Politics is real in the work place and if the VP of Marketing just came in freaking out because a bunch of web sites are marked as insecure, then you just lost some political capital.  So don’t wait for that unfortunate event and try to get out ahead of it.  Explain what is happening to people (such as our fictional VP of Marketing) and ask them if they want to start moving the sites to HTTPS.

Obviously, any change to use HTTPS is going to require SSL/TLS certificates to make the encryption possible.  There are a number of different types of certificates you can select and they each have different benefits.  DigiCert, our Security Weekly partner, has created a page with information to help you with this process.  You can check out this resource by visiting digicert.com.

Beyond certificate selection, there are other things we need to do to prepare sites to use HTTPS as well.  Missing some of these can cause some real headaches and emergency changes to fix the fallout.

    • Configure your SEO tools to use the HTTPS version of your sites ahead of time.  If you forget to reconfigure these, then you’ll start losing data in your analysis tools and indexing from search engines.
    • Do you have hard coded links to HTTP resources within your web site?  Those will need to be changed to use HTTPS instead.
    • Do you have redirects in place to send users to the HTTPS link for resources?  Old links live for a long time on the internet, so you need to have redirects in place to seamlessly send users to the correct location.
    • You may need to make changes to CDN settings, load balancers, proxies and more.  Anything that is configured to serve content over HTTP will need to be checked out.

One Final Thought

There are some larger concerns here than how Google has decided to frame the use of SSL/TLS certificates and HTTPS.  For years we’ve told people to look for the lock and not click through to sites that have certificate warnings.  These changes to Chrome will turn that model upside down and require new messaging to give to family, friends and colleagues.  Security awareness training will have to be updated to reflect the new reality.  In short, we are going to have to tell people that what we have always said doesn’t apply to Chrome now, but does apply to everything else.  It’s safe to say there will be some confusion out there.

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html

Jason Wood

Jason Wood is a senior researcher on CrowdStrike’s OverWatch team. He is also the founder of Paladin Security and the primary consultant. Prior to starting Paladin Security, Jason was a Principal Security Consultant with Secure Ideas. At Secure Ideas, he performed penetration tests for clients in a wide range of industries. These include health care, financial services, SaaS businesses, government agencies and critical infrastructure.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.