Google will remove “Secure” indicator from Chrome browser
News / Google will remove “Secure” indicator from Chrome browser come September
18 May 2018
In May last year, Google Chrome started marking all non-HTTPS sites a ‘Not Secure’ and introduced a green padlock to let users view a website’s security credentials before carrying out transactions online, access cloud servers, access e-mail or social media posts.
The Internet giant then announced that it would eventually mark all non-HTTPS pages as ‘Not Secure’ in red which would be more noticeable by visitors compared to the small ‘i’ logo which appeared on the address line at that point.
No more “Secure” sign from September
Earlier today, Google announced that it will remove the “Secure” indicator from Chrome browser with the launch of Chrome 69 in September this year. This would mean that Chrome users will only be able to view the green padlock instead of the “Secure” text.
“Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the “Secure” wording and HTTPS scheme in September 2018 (Chrome 69).
“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages.
“We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities — so don’t wait to migrate to HTTPS!” Google said in a blog post.
The “Not Secure” sign will be of particular importance as it will then be easier to attract the attention of Chrome users when they visit sites that are not secured by HTTPS algorithm.
HTTPS is the latest website security certificate which assures users that they are on a safe website and that any information they send to the site is well-protected. As such, any website carrying the HTTP certificate or Secure Hash Algorithm (SHA-1) may not be able to completely secure confidential customer information.
SHA-1 is an outdated encryption algorithm that has been known to be insecure since 2005. The modern security standard is the SHA-2 which all browsers now support.
In May last year, Microsoft also took the decision not to allow any website to load in Microsoft Edge and Internet Explorer 11 browsers that carried SHA-1 certificates. “Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificate,” it said.
“This is a very positive step from Microsoft and it will definitely improve the security of the Internet — both Google and Mozilla started blocking websites that use SHA-1 back in February. It’s well within reach of nation states and sophisticated adversaries to compromise SHA-1 certificates. In fact, more than a decade ago NIST called for the elimination of SHA-1 because of known vulnerabilities,” says Kevin Bocek, chief cybersecurity strategist at Venafi.
Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines