“Not secure… What Does That Mean?”
You may have seen “Not secure” in the address bar while using Chrome. Other browsers are headed towards or have some aspect of this functionality as well. For the remainder of this article, I’ll be using Chrome as an example. The meaning behind “Not secure” in Chrome will be expanding soon, but it all centers around the SSL certificates used keep you and your data safe on websites.
SSL Security: More Than a Suggestion
SSL certificates on websites provide security through a few methods. Primarily, SSL certificates encrypt data transferred across the internet so that only the intended recipient can understand that data. Secondly, SSL certificates provide authentication that the site you’re visiting is actually the site you intended to visit. A quick check of the address you’re visiting will let you know if you’re even attempting to use a site securely. Secure site addresses will always start with “https”. Insecure sites start with “http”.
“Not secure” Now
Currently, if you see “Not secure” in grey, it typically means that the page you’re on contains form fields, but the page is not secured with an SSL. This means that any data submitted in these fields will be transmitted across an unencrypted connection. If a malicious person happens to be monitoring that connection, they could easily gain access to your data.
If you see “Not secure” in red, the offending site could be potentially dangerous. In general, you should probably leave the site. There are several reasons that could cause this. A mismatched domain can cause it. This means the domain you visited (somedomain.com) does not match the domain on the SSL certificate (which is valid for differentdomain.com). The site may also be a known phishing site.
No matter what color “Not secure” is, you can always click on it to get more information about the issue.
“Not secure” Soon
Beginning in Chrome 68 due for release in July 2018, any website without a valid SSL certificate will be flagged as “Not secure”. The web as a whole is moving towards the goal of encrypting all web traffic to help prevent personal data theft. Websites without SSL certificates will still function without issue, but you will be seeing more warnings about them going forward. Your browser may even force you to grant permission in order to open the site.
As of late 2017, Google announced its plan to distrust all Symantec SSL certificates. This resulted from two separate incidents with Symantec’s certificates. In 2015, Symantec issued nearly 3,000 SSL certificates without the owners of the domains knowing it even happened. Then in 2017, news came that many of Symantec’s partners, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, were not complying with industry baseline security requirements. In addition, Symantec had trusted several companies with known security deficiencies. There were more issues beyond those two, and these incidents combined have led Google to distrust all SSL certificates issued by Symantec or their partners.
You should always be careful with your data while browsing the web. You also need to be aware of the network you’re connected to when signing into any website with your credentials. Public, unsecured WiFi hotspots can expose your data without you realizing it. There are a lot of factors to keep in mind. Pit Crew IT Services can help with all of them in your business or organization. Get a free IT consultation below.