Secure in Chrome Browser Does Not Mean Safe
Many smaller sites, like ours , are being pushed into using secure servers or else be tagged as “dangerous”. Sites that don’t move to SSL / TLS (https) secure servers by October will display this warning to Chrome users:
Currently, users who visit a site not using SSL / TLS / HTTPS or “secure servers”) see much milder notice like the one shown below:
In September, because we want to keep our little business, we’re going to have to spend hours and dollars moving to a SSL/TLS/HTTPS, even though we don’t need to, because we never ask or or store any personal information.
Our forms ask only for a name (can be first only if you like), and email address and information about the service your inquiring about. Any sales we make are made offsite on a secure encrypted server (PayPal). So, our site and you, when you visit us, are perfectly safe the way things are – no SSL/TLS/HTTPS (secure server) necessary. And but for Google, we’d be able to continue on with business as usual helping people, fixing computers, etc. But Google has hundreds of billions of dollars and we have very little – so you know who’s going to win the battle.
We have no choice; in September will be spending many hours and dollars doing something unnecessary only to appease Google… and it will not make our site or your visits to our site one bit safer.
That’s not to say that SSL/TLS/HTTPS (secure servers ) are not necessary. Banks, Online Stores, Government Websites, Credit Card sites or any sites that ask for sensitive and/or confidential information should be on secure servers. But mom & pop sites like ours or other small sites and blogs don’t need to be on secure servers. But we’re going to appease Google, need it or not, next month.
Google doesn’t want you to know this, but “Secure” does not mean “Safe”. To learn why, please read the following article written by security expert Mark Maunder from Wordfence:
‘Secure’ in Chrome Browser Does Not Mean ‘Safe’
Written by Mark Maunder
Google’s Chrome web browser is used by over 50% of users on the web. When you visit a website that is using SSL, otherwise known as HTTPS or TLS, you see a green message in your browser location bar that says “Secure”.
“Secure” in Chrome browser does not mean “Safe”. In this post I will explain why in terms that are easy to understand and tell you what to do about it. I’ve written this post to be easy to read. I’d like to encourage you to share it with friends and family to help them stay secure.
For our technical readers, here is a summary of what we discuss in this post:
- We show that SSL certificates are being issued by more than one certificate authority (CA) to phishing sites pretending to be Google, Microsoft, Apple and other well-known companies.
- A valid certificate causes Chrome to show a website as “Secure”.
- When a certificate is revoked once a CA realizes they should not have issued it, we show that Chrome still shows the site as “Secure”. The “revoked” status is only visible in Chrome developer tools.
- Malicious sites that have been issued valid SSL certificates take some time to appear on Chrome’s malicious site list. We show that the safe browsing list can not be relied on as a backup mechanism to protect users from malicious sites with valid SSL certificates.
What does “Secure” actually mean in Chrome browser?
In order for a website to be labeled as ‘Secure’ by Chrome, it needs to set up SSL on its web server. As part of that process, it needs to contact a certificate authority (CA) to get a ‘certificate’. The CA is supposed to verify that the website owner actually owns the website. This process is called ‘domain validation’. Other than verifying that the domain owner actually owns the website, the CA is not required to do anything else.
In Chrome, when you see “Secure” in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. It also means that the person who installed the certificate on the website actually owns the site domain. It does not mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else…