Chrome Security Warnings Revamped: What You Need to Know

John Lister's picture

If you use Google's Chrome browser, you may have started seeing warnings that a website is not secure. Here's what it means and what's changed.

What's the change?

Google has changed the way it displays information about websites in the space on the left of the address bar at the top of the Chrome display. Originally this space was only used to indicate when a website was secure via a padlock symbol. Later on Google gave this more emphasis, adding the word "Secure" and marking both in green to stand out.

Until now, the fact that a website isn't secure hasn't been explicitly stated: it's just been indicated by the absence of the padlock and wording. Google then started showing "Not secure" warnings only if and when a page asked a user to fill in a form, such as when submitting a password or card number.

This changes with the latest edition of Chrome, which adds the wording "Not secure" on any relevant page as soon as it loads.

What does "secure" and "not secure" mean?

"Secure" indicates that a website uses the HTTPS system, while "not secure" means it uses the older HTTP system. The difference is that HTTPS sites and pages will encrypt any data that moves between the website and the user's computer, and vice versa.

The encryption means that if anyone intercepts the data, they'll find it incredibly difficult (and practically impossible) to read it. This is important for sending personal information, credit card details, passwords and other sensitive data.

Are there any other benefits to secure sites?

If a site uses HTTPS, it becomes considerably harder for a scammer to intercept data from a website and change the code to change the contents of the page.

For example, in a "phishing" attack, scammers create a fake banking website that looks legitimate, but when the user inputs data into a form, that data gets sent to a third party rather than a legitimate site. They could also put bogus information on the site such as a fake helpline phone number.

What should I do if I see the "not secure" warning?

You don't need to panic as it may simply be that the website operators haven't taken the necessary steps to make their website secure or to make sure that people are redirected to a secure version. However, you should be wary about submitting any confidential or sensitive data through any site that is reported to be "not secure". You'll need to be particularly careful using such sites over public WiFi networks. (Source: lifehacker.com)

Is Google changing anything in the future?

Later this year, Google will phase out the padlock and "Secure" notice altogether. At that stage it will only mark those websites which are not secure. That wording will then be marked in red to make it stand out even more. (Source: blog.google)

What's Your Opinion?

Have you noticed the "secure" and "not secure" change? Do you pay attention to whether sites are secure? Should browser makers do more to make users aware of secure and insecure sites?

Rate this article: 
Average: 5 (8 votes)

Comments

davolente_10330's picture

I think I err on the side of good sense, provided the notification stays as subtle as it currently is and Chrome doesn't suddenly go mad with sounds or anything equally as crass on the visuals! I have found that a lot of people don't even know about https or the padlock, so anything that draws their attention to it is probably a good thing, with the proviso that it doesn't make them panic. Perhaps a bit more publicity is the order of the day. I certainly think other browsers should follow suit.

SteveMann's picture

Why is a site that takes no user data, no forms, no cookies a security risk?
If Google is going this route, they should provide a free certificate service for the small users.

bern's picture

You can access a site with HTTPS and still get a warning saying unable to verify certificate or certificate expired. A lot of large organizations set up their own certificate authority, especially if they need to generate a lot, rather than pay a 3rd party commercial organization to do it for them. I even got the message trying to access the BBC iPlayer the other day, but it soon disappeared. You just have to build up your own list of exceptions. My old ISP was a classic example of always having expired certificates.