Blog / AVOID GOING CHROMATOSE!
Google recently released an update for Chrome that marks all HTTP websites as being Unsecured. This is entirely accurate, as the information flowing between your computer and the server is unencrypted. This means someone could be in the middle, monitoring the traffic, and reading everything that’s going on.
You can read details about the Chrome Update here.
Previously, the only time you saw messages about Security in any browser was with HTTPS. This usually involved an icon of a lock, or something similar.
Security issues on HTTPS could arise, if there was something wrong with the Certificate used by the website.
Those issues could include:
- The Certificate not being valid for the website you are visiting.
- The Certificate Authority that issued the Certificate being unknown to the browser.
- The Certificate having expired.
- The encryption used on the Certificate being too weak.
Usually, the issues people encountered were with validity or Certificate Authority. The Certificate having expired didn’t usually happen, unless the website Administrator was inexperienced, or the site was abandoned. Encryption-related issues generally only happened when the Administrator didn’t remain updated on Security-related issues.
With the change in browser behaviour, the HTTP website will now show up as being insecure. This may not seem like a major change, but it has big implications.
A lot of Phishing campaigns use links to fake websites. The clickable link may show an HTTPS website, but the website itself is HTTP (remember that website links don’t need to link to the text that is displayed.) This allows an Attacker to link to an HTTP website, while the User is expecting HTTPS. Currently, there is no indication that HTTP is not encrypted. This warning will make it obvious that the traffic is not being encrypted, and may help overall User awareness.
With this change happening in Chrome, it’s likely that other browsers will show similar changes in their own behaviour. Changes like this evidence a shift in thinking behaviour.
When I went to school, all these differences in HTTP and HTTPS, as well as the warning messages, were well known (at least to us computer people.) The overall thinking was that it was up to the User to be aware of what they were doing: “Didn’t notice the HTTPS warning message? Too Bad. Normally the login page is HTTPS; this is HTTP. Not our problem.”
There’s a certain logic to the old way of thinking. It can be summarized with a statement like: “People should be responsible for their own education.” To a point, it’s true. The problem with thinking that way is it puts all the responsibility on the Users to educate themselves.
The new way of thinking makes computers more like cars. In the 50’s there were cars that were very literally, death traps. There were muscle cars that could go very fast in a straight line, but try to get them around a corner and they would want to do silly things, like roll. So, governments stepped in and now there are regulations on stuff like suspension and roofs that don’t collapse. Features to keep people safe are standard.
Features like showing HTTP pages as insecure are the same sort of thing. The new thinking is that people still need to know the basics of how to use a computer. At the same time, Software Designers have a responsibility to help keep people safe.
If you have any questions about Chrome‘s Insecure Website behaviour, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.