topic Re: Google's decision to kill its 'Secure' URL label in Chrome in Industry News

Google's decision to kill its 'Secure' URL label in Chrome

vt100 — Sun, 20 May 2018 18:02:07 GMT

According to multiple sources, Google has decided to simplify our lives again by removing "Secure" identifier in its Chrome browser for HTTPS sites protected, by what it deems, valid certificates.

This development is very unwelcome, as I recall them trying this in one of the earlier iterations of their browser to dismay of many security professionals, when we could not readily lookup certificate data from the address bar.

For instance, in my demo lab environment, I am using HTTPS inspection by the firewall/IPS/AV/Antibot/URL filtering and Application control device. Its certificate is installed in the domain's Trusted Root Certification Authorities. Therefore browser will see it as "Valid" and is presently indicating that the site is secure. But, importantly, it allows me to easily verify if the traffic is being inspected, or if it is allowed by the exceptions in the sites categorization:

HTTPS Inspected and Bypassed Certificate Indicators

Add to this Google's implementation of QUIC protocol, which presently could not be inspected and it's payload analyzed, the unilateral initiative with certificate issuance log validation, and it feels like Google deliberately making the life of security specialists difficult.

Re: Google's decision to kill its 'Secure' URL label in Chrome

Flyslinger2 — Mon, 21 May 2018 12:48:06 GMT

More of the same that I mentioned in another post regarding Google (Gorilla) flexing it's muscles and arbitrarily making a decision without peer review, involvement with organizations like the Internet Standards society or any other group that can logically and reasonably approve or disprove an action.

Google is way to big for its britches.

Re: Google's decision to kill its 'Secure' URL label in Chrome

Baechle — Wed, 23 May 2018 19:54:45 GMT

@vt100 wrote:
According to multiple sources, Google has decided to simplify our lives again by removing "Secure" identifier in its Chrome browser for HTTPS sites protected, by what it deems, valid certificates.

Are you able to cite any of those sources? It's kind of hard to judge the veracity of a claim through anonymous sources.

Re: Google's decision to kill its 'Secure' URL label in Chrome

Flyslinger2 — Thu, 24 May 2018 11:31:10 GMT

It's all over Al Gore's amazing interwebs:

https://www.techspot.com/news/74698-chrome-remove-ecure-label-https-sites-september.html

Re: Google's decision to kill its 'Secure' URL label in Chrome

denbesten — Sun, 27 May 2018 22:12:49 GMT

In concept, I do agree with Google's stance "Users should expect that the web is safe by default, and they’ll be warned when there’s an issue." However, I do hope they permanently learned that it is also necessary to give the users the ability to easily validate security settings. Google forgot this in Chrome 56 and relearned it in 60.

@Flyslinger2, When this development effort was first announced, they did offer a selection of ways to provide feedback.

Regarding the QUIC protocol, it is easy to block. I have yet to find anything that does not fall back to HTTP/HTTPS. As QUIC gets more popular (currently, 0.8%), I am confident that QUIC inspection abilities will equal that of HTTPS.

[edit: fixed incorrect reference]

Re: Google's decision to kill its 'Secure' URL label in Chrome

Flyslinger2 — Sat, 26 May 2018 20:37:56 GMT

@denbesten I humbly disagree. We should never assume that the internet is safe and Google taking that position is only showing their naiveté in understanding threats. Something we all were supposed to learn in CISSP.

Re: Google's decision to kill its 'Secure' URL label in Chrome

denbesten — Sun, 27 May 2018 22:11:11 GMT

I don't think that anyone believes the Internet (as a whole) to be a safe place. This is more about effectively communicating the relative security posture and risk of the site being visited.

Studies (Usenix, Harvard/MIT, CMU) have backed up the theory that passive security indicators are not effective. Fixing this requires being more "in your face" about exceptional concerns and avoiding crying wolf about the routine.

The original reference was lopsided in that it only mentioned what the Chrome overlords were taking away and ignored what was being added. Plenty of other sites (1, 2, 3, 4) have presented a more comprehensive picture of the happenings. Notably, In addition to removing from HTTPS web sites, they will be adding to HTTP web sites and to sites that have suspicious indicators (e.g. bad certificate or entering a password over HTML).

Effectively, they are changing the default to warn about bad instead of praising what should be the norm.

Re: Google's decision to kill its 'Secure' URL label in Chrome

Flyslinger2 — Tue, 29 May 2018 12:06:10 GMT

Sadly, I'm slammed at work with a big project and my personal life is ridiculous right now with anniversaries (35 for my wife and I), b-days out the wazzo and recent engagement by one of my offspring-busy. I don't have the time to even scan these articles let alone really put some thought and effort into them since you did the same. Thank you for doing that.

Re: Google's decision to kill its 'Secure' URL label in Chrome

denbesten — Wed, 30 May 2018 21:32:56 GMT

In any case, thanks for raising the question (well, comment). It inspired me to take a moment to write down what I had figured out so that others can (hopefully) benefit from it. Like you, my initial response was WTF. It wasn't until I dug into it that things started to make sense.

I'm sure that the tables will be turned in a few months and I will be the one slammed. Hopefully, I too will be able to lean on the community when that happens.

Re: Google's decision to kill its 'Secure' URL label in Chrome

Flyslinger2 — Thu, 31 May 2018 12:14:20 GMT

The WS at my customer location updated with the latest version of Chrome. I'm a Firefox fan myself so I only use Chrome to follow their shenanigans. I'd say 50% of the sites I visited using Chrome I got the "Not Secure" message, including some famous tech blogs! I also use Chrome because it handles 2FA better then FF.

I use Chrome Incognito and they are HTTP sites that I go to. Ding #1.

The site could have a form somewhere* that Chrome/Incognito throws up about. Ding #2.

*Really? What if the site doesn't go to HTTPS until you authenticate in?

So I contacted the webmasters for these sites. I showed them the write-up you get if you press F12 and click on the caution icon. You get sent to a Google blog detailing why this is a security issue. https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

Their responses? LOL - what do you think it is? I don't think Google's security posture is too widely known and it will upset more people then it will help in securing anything.

I've already gotten several emails and calls from my network of people that still depend on me for their IT consultant even though I haven't done that in a while. They notice what Google is doing and are panicked that the website they have used for years is now not secure all of a sudden? Yeah.

Re: Google's decision to kill its 'Secure' URL label in Chrome

denbesten — Thu, 31 May 2018 20:23:38 GMT

@Flyslinger2 wrote:
...panicked that the website they have used for years is now not secure all of a sudden...

Many organizations, including Firefox (1, 2, 3), EFF and W3C are in on the HTTP conspiracy. Current versions of Chrome, Firefox, Edge, Opera all have similar cautions. MSIE, not so much.

Firefox 60

Chrome 66

I don't think Google's security posture is too widely known

The HTTPS push does seem to be working -- 75%-88% of web traffic today is https, up from 50% 19 months ago and 38% 33 months ago.