cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vt100
Community Champion

Google's decision to kill its 'Secure' URL label in Chrome

According to multiple sources, Google has decided to simplify our lives again by removing "Secure" identifier in its Chrome browser for HTTPS sites protected, by what it deems, valid certificates.

 

This development is very unwelcome, as I recall them trying this in one of the earlier iterations of their browser to dismay of many security professionals, when we could not readily lookup certificate data from the address bar.

 

For instance, in my demo lab environment, I am using HTTPS inspection by the firewall/IPS/AV/Antibot/URL filtering and Application control device. Its certificate is installed in the domain's Trusted Root Certification Authorities. Therefore browser will see it as "Valid" and is presently indicating that the site is secure. But, importantly, it allows me to easily verify if the traffic is being inspected, or if it is allowed by the exceptions in the sites categorization:

HTTPS Inspected and Bypassed Certificate IndicatorsHTTPS Inspected and Bypassed Certificate Indicators

 

 

Add to this Google's implementation of QUIC protocol, which presently could not be inspected and it's payload analyzed, the unilateral initiative with certificate issuance log validation, and it feels like Google deliberately making the life of security specialists difficult.

10 Replies
Flyslinger2
Community Champion

More of the same that I mentioned in another post regarding Google (Gorilla) flexing it's muscles and arbitrarily making a decision without peer review, involvement with organizations like the Internet Standards society or any other group that can logically and reasonably approve or disprove an action.

 

Google is way to big for its britches.

Baechle
Advocate I


@vt100 wrote:

According to multiple sources, Google has decided to simplify our lives again by removing "Secure" identifier in its Chrome browser for HTTPS sites protected, by what it deems, valid certificates. 

 

Are you able to cite any of those sources?  It's kind of hard to judge the veracity of a claim through anonymous sources.

Flyslinger2
Community Champion

denbesten
Community Champion

In concept, I do agree with Google's stance "Users should expect that the web is safe by default, and they’ll be warned when there’s an issue."  However, I do hope they permanently learned that it is also necessary to give the users the ability to easily validate security settings.  Google forgot this in Chrome 56 and relearned it in 60.

 

 

@Flyslinger2When this development effort was first announced, they did offer a selection of ways to provide feedback. 

 

 

Regarding the QUIC protocol, it is easy to block.  I have yet to find anything that does not fall back to HTTP/HTTPS.  As QUIC gets more popular (currently, 0.8%), I am confident that QUIC inspection abilities will equal that of HTTPS.

 

[edit: fixed incorrect reference]

Flyslinger2
Community Champion

@denbesten I humbly disagree. We should never assume that the internet is safe and Google taking that position is only showing their naiveté in understanding threats. Something we all were supposed to learn in CISSP. 

denbesten
Community Champion

I don't think that anyone believes the Internet (as a whole) to be a safe place.  This is more about effectively communicating the relative security posture and risk of the site being visited.

 

Studies (UsenixHarvard/MIT, CMU) have backed up the theory that passive security indicators are not effective.  Fixing this requires being more "in your face" about exceptional concerns and avoiding crying wolf about the routine.

 

The original reference was lopsided in that it only mentioned what the Chrome overlords were taking away and ignored what was being added. Plenty of other sites (1, 2, 3, 4) have presented a more comprehensive picture of the happenings. Notably, In addition to removing secure.png from HTTPS web sites, they will be adding not secure.png to HTTP web sites and ! not secure.png to sites that have suspicious indicators (e.g. bad certificate or entering a password over HTML).

 

Effectively, they are changing the default to warn about bad instead of praising what should be the norm.

 

 

Flyslinger2
Community Champion

Sadly, I'm slammed at work with a big project and my personal life is ridiculous right now with anniversaries (35 for my wife and I), b-days out the wazzo and recent engagement by one of my offspring-busy.  I don't have the time to even scan these articles let alone really put some thought and effort into them since you did the same. Thank you for doing that.

denbesten
Community Champion

 

In any case, thanks for raising the question (well, comment).  It inspired me to take a moment to write down what I had figured out so that others can (hopefully) benefit from it.  Like you, my initial response was WTF.  It wasn't until I dug into it that things started to make sense.

 

I'm sure that the tables will be turned in a few months and I will be the one slammed.  Hopefully, I too will be able to lean on the community when that happens.

 

Flyslinger2
Community Champion

The WS at my customer location updated with the latest version of Chrome.  I'm a Firefox fan myself so I only use Chrome to follow their shenanigans.  I'd say 50% of the sites I visited using Chrome I got the "Not Secure" message, including some famous tech blogs!   I also use Chrome because it handles 2FA better then FF.

 

I use Chrome Incognito and they are HTTP sites that I go to.  Ding #1.

The site could have a form somewhere* that Chrome/Incognito throws up about. Ding #2.

 

*Really? What if the site doesn't go to HTTPS until you authenticate in? 

 

So I contacted the webmasters for these sites.  I showed them the write-up you get if you press F12 and click on the caution icon.  You get sent to a Google blog detailing why this is a security issue.  https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

Their responses? LOL - what do you think it is?  I don't think Google's security posture is too widely known and it will upset more people then it will help in securing anything.  

 

I've already gotten several emails and calls from my network of people that still depend on me for their IT consultant even though I haven't done that in a while.  They notice what Google is doing and are panicked that the website they have used for years is now not secure all of a sudden?  Yeah.