Google Simplifies Web Browser Security Warnings

John Lister's picture

Google is to tone down security warnings for users of the Chrome browser. It believes the move won't increase user risk and may instead encourage websites to improve security.

The change involves the way secure websites appear in the address bar in Chrome. At the moment, a website in Chrome will appear with one of four icons to the left of the address to indicate whether or not it is secure:

  1. A plain white 'blank page' icon indicates an ordinary http site, meaning there's no encryption of data passing back and forth between the website and the user's computer.
     
  2. A green padlock icon indicates that the website is secured (https) and encrypts the data. It also indicates that the security certificates check out, meaning claims about who operates the site are true. That cuts out the possibility of an attack, where a third party / malicious website poses as a true website operator to try to trick users into typing personal information into a bogus login screen.
     
  3. A gray padlock with a red 'x' indicates a website where the encryption is broken, suggesting the security may be compromised. The Google search engine often blocks users from visiting such sites unless they explicitly acknowledge the risks first.
     
  4. A gray padlock with a yellow warning triangle indicates the website is partly secure, with minor errors in the security.

Mixed Content Warning Ditched

It's the "minor errors" in security in which Google is adjusting its security warnings for the Chrome browser. The minor errors are usually due to mixed content, meaning that part of a web page is secure, whereas other parts are not. A common reason is because the main content of the page is secured, but some additional content such as third-party images or advertisements are not linked to on a secured channel. (Source: zdnet.com)

According to Google, having four different icons risks confusion for users. It's now decided that for pages with mixed content, it will now only show the plain white 'blank page' icon which indicates the page is the same as saying that it's not (fully) encrypted. This is a safety-first approach, with the idea being that unless a user can trust all the content on a site as being 100% secure, they shouldn't rely on any of the encryption even if 99% of it is secure.

Yellow Triangle Deterred Website Security Upgrades

The second reason for the change is that in many cases when a website operator decided to switch from an unsecured website to a secured one, the mixed content icon was regularly triggered during the transition period. Ironically, that also created the impression among users that the site was a specific risk.

Google also believes that some web owners may have been deterred from upgrading their site to secure http (https) due to the mixed content warning. Now, web masters can work toward upgrading to https and temporarily work with the mixed content until their site is fully compliant (depicted by the green padlock). (Source: blogspot.co.uk)

What's Your Opinion?

Do you understand and take any notice of the four icons in Chrome? Did you realize that a site with a yellow warning triangle is actually slightly more secure than one with the standard blank page icon? Is Google right to ditch the mixed content warning and instead err on the side of caution?

Rate this article: 
Average: 4.8 (6 votes)

Comments

bobf0648's picture

Heck, I never noticed the icons. I just assume all web sights are unsafe!

Don Cook's picture

Each of the 4 steps needs a full discription on each page they are refering to.