According to multiple sources, Google has decided to simplify our lives again by removing "Secure" identifier in its Chrome browser for HTTPS sites protected, by what it deems, valid certificates.
This development is very unwelcome, as I recall them trying this in one of the earlier iterations of their browser to dismay of many security professionals, when we could not readily lookup certificate data from the address bar.
For instance, in my demo lab environment, I am using HTTPS inspection by the firewall/IPS/AV/Antibot/URL filtering and Application control device. Its certificate is installed in the domain's Trusted Root Certification Authorities. Therefore browser will see it as "Valid" and is presently indicating that the site is secure. But, importantly, it allows me to easily verify if the traffic is being inspected, or if it is allowed by the exceptions in the sites categorization:
Add to this Google's implementation of QUIC protocol, which presently could not be inspected and it's payload analyzed, the unilateral initiative with certificate issuance log validation, and it feels like Google deliberately making the life of security specialists difficult.
@Flyslinger2 wrote:...panicked that the website they have used for years is now not secure all of a sudden...
Many organizations, including Firefox (1, 2, 3), EFF and W3C are in on the HTTP conspiracy. Current versions of Chrome, Firefox, Edge, Opera all have similar cautions. MSIE, not so much.
Firefox 60
Chrome 66
I don't think Google's security posture is too widely known
The HTTPS push does seem to be working -- 75%-88% of web traffic today is https, up from 50% 19 months ago and 38% 33 months ago.
