Here’s What the New Chrome Security Warnings Really Mean

Chrome fans may have noticed small changes in their browsers today. Assuming you are using the latest version of Chrome, version 68, you will now see a large “unsafe” button in the address bar whenever you open a website that starts with http: // instead of https: //. (Anyway, I’m using Chrome version 67.0.3396.99 and it also shows up there when the page has an input field.)

Will you ignore this warning? Probably. You should? Probably no. Web security expert Troy Hunt explains why it is important for websites to use HTTPS – the “secure” Hypertext Transfer Protocol – in this short video (below). It’s absolutely worth a look, but here’s the short version: For businesses, hackers, or anyone else interested in your web travels, it isn’t that hard to spot your HTTP request, for example when you want to visit a specific website; intercept this request; and then change it with something you don’t want like an ad, popup, or a completely different website.

“This is why your static website needs HTTPS” – Troy Hunt

Most websites do a pretty good job of redirecting you to their versions of HTTPS when you enter a simple domain name: Amazon, Microsoft, Tumblr, Lifehacker, etc. But there are many websites that don’t, and Hunt has created his own website. to track down these criminals. Why is there no HTTPS?

On it, he listed the top 100 websites in the world that don’t automatically redirect to the HTTPS version of the site when you enter their domain names. Violators (and their Alexa ranks) include (4th place), (6th place), (105), (136), (211) and even (# 237) and many others.

It is disappointing that some of these sites do have secure versions; you just need to enter https: // and the domain name, not just websitename-dot-com to access it (if it doesn’t have any preferences or settings you can check to automatically redirect to the HTTPS version every time when you visit the site). However, this trick does not work with all sites. You can as much as you want and you will still be redirected to a less secure HTTP site.

When Your Favorite Sites Don’t Support HTTPS – Or You Think So

I recommend installing the HTTPS Everywhere browser extension. This is a great little tool created by The Tor Project and the Electronic Frontier Foundation that tries to fix some of these problems by connecting your browser to the HTTPS version of websites whenever possible. It is neither flawless nor magical. As the EFF points out, it cannot create site security out of thin air:

“HTTPS Everywhere only protects you when you are using encrypted portions of supported websites. On a supported site, it will automatically enable HTTPS encryption for all known supported portions of the site (for some sites, this may only be a portion of the entire site). For example, if your webmail provider does not support HTTPS at all, HTTPS Everywhere will not be able to secure your access to your webmail. Likewise, if a site allows HTTPS for text but not images, someone might see what images your browser is loading and guess where you are accessing.

HTTPS Everywhere is entirely dependent on the security features of the individual websites you use; it activates these security functions, but cannot create them if they do not already exist. If you are using a site that is not supported by HTTPS Everywhere, or a site that provides some information in an insecure manner, HTTPS Everywhere cannot provide additional protection for your use of this site. Before sending or receiving confidential information, including passwords, be sure to check if the security of a particular site is working at the level you expect. “

If you’re just clicking mindlessly through sites in your browser, you probably don’t need to care that much about HTTP versus HTTPS — unless you start experiencing something strange during your browsing session. At least that’s how SecurityMetrics analyst Brand Barney put it in a 2014 blog : “If you’re just browsing the Internet, watching cat memes and dreaming of a $ 200 knit sweater, HTTP is good.”

So checking your sports scores on ESPN at home is probably ok due to the site’s less secure connection. If you log into your ESPN account at a coffee shop, I would be a little nervous (and probably wouldn’t). If I just couldn’t resist, I would make sure that my ESPN login credentials are not the same as anything I use for any other sites or services, and I absolutely would not enter my credit card information to buy. anything on ESPN. site (if you can do it at all).

In other words, HTTP likely won’t cause problems for normal web browsing, but once you start typing in information that you don’t want others to see – passwords, billing information, your address, social security number, etc. , – you ”It would be foolish to do this with an insecure connection. Worse, you don’t want to send this information over an insecure HTTP connection on an open wireless network, in your coffee shop, or anywhere else where many people you don’t know on the same network could intercept a cyber wiretap. what are you up to.

While most websites have moved to HTTPS, you’ll also want to make sure you pay more attention to the Google callout in Chrome. In an ideal world, Google would make the “unsafe” icon red and blinking to get your attention when you’re about to do something that should not be done on an unsafe website, but a larger indicator in the address bar is better than nothing. , we presume. The next time you are about to buy something online, be sure to take a quick look at the top of your browser.


Leave a Reply