News / Google to remove “Secure” indicator from Chrome browser
Google to remove “Secure” indicator from Chrome browser
18 May 2018 |
In May last year, Google Chrome started marking all non-HTTPS sites a 'Not Secure' and introduced a green padlock to let users view a website's security credentials before carrying out transactions online, access cloud servers, access e-mail or social media posts.
The Internet giant then announced that it would eventually mark all non-HTTPS pages as 'Not Secure' in red which would be more noticeable by visitors compared to the small 'i' logo which appeared on the address line at that point.
No more "Secure" sign from September
Earlier today, Google announced that it will remove the "Secure" indicator from Chrome browser with the launch of Chrome 69 in September this year. This would mean that Chrome users will only be able to view the green padlock instead of the "Secure" text.
"Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).
"Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages.
"We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities -- so don’t wait to migrate to HTTPS!" Google said in a blog post.
The "Not Secure" sign will be of particular importance as it will then be easier to attract the attention of Chrome users when they visit sites that are not secured by HTTPS algorithm.
HTTPS is the latest website security certificate which assures users that they are on a safe website and that any information they send to the site is well-protected. As such, any website carrying the HTTP certificate or Secure Hash Algorithm (SHA-1) may not be able to completely secure confidential customer information.
SHA-1 is an outdated encryption algorithm that has been known to be insecure since 2005. The modern security standard is the SHA-2 which all browsers now support.
In May last year, Microsoft also took the decision not to allow any website to load in Microsoft Edge and Internet Explorer 11 browsers that carried SHA-1 certificates. "Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificate," it said.
"This is a very positive step from Microsoft and it will definitely improve the security of the Internet -- both Google and Mozilla started blocking websites that use SHA-1 back in February. It's well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago NIST called for the elimination of SHA-1 because of known vulnerabilities," says Kevin Bocek, chief cybersecurity strategist at Venafi.
Latest posts by Jay Jay (see all)
- NCA nabs hacker behind phishing attack on Lancaster University - 16th August 2019
- FCA says e-commerce industry needs 18 months to be fully SCA-compliant - 16th August 2019
- Hackers target ECB’s BIRD website; steal personal data of subscribers - 16th August 2019
- British Airways blamed for exposing passenger data via unencrypted web links - 15th August 2019
- Choice Hotels data breach: 700k data records lost to hackers - 15th August 2019