With the release of Chrome v62 in less than 3 months, Google will begin marking non-HTTPS pages with text input fields—like contact forms and search bars—and all HTTP websites viewed in Incognito mode as “NOT SECURE” in the address bar. The company has started sending out warning emails to web owners in August as a follow-up to an announcement by Emily Schechter, Product Manager of Chrome Security Team, back in April.
Google began marking sites in Chrome v56, which was issued in January of this year. They targeted HTTP sites that collect user passwords and credit card details.
For owners to secure the information being shared among their visitors and their web server, they must start incorporating an SSL certificate. Failing to do this is risky for both parties: sites that allow the sending of information in clear text may also allow its exposure through the Internet.
Ms. Schechter also provided website owners with a handy guide on how to enable HTTPS on their servers. An additional guideline on how to avoid the “NOT SECURE” warning on Chrome is also available for web developers.
Looking at the way things are panning out, we can be confident that HTTPS will be the norm in no time. However, this doesn’t mean that all sites using SSL certificates can and should be trusted.
Google intended to separate phishing sites from legitimate ones with the marking of insecure sites, as Help Net Security noted in an article. Unfortunately, the introduction of new browser versions capable of flagging sites also promptly introduced more phishing sites using HTTPS. We’ve been seeing examples of this in the wild, as well, the latest of which was an Apple phishing campaign.
Discerning phishing pages from the real ones has become more challenging than ever. This is why it’s important for users to familiarize themselves with other signs that they might be on a phishing page apart from the lack of SSL certificates. Fortunately, users don’t have to look far from the address bar when they want to double-check that they’re on the right page before entering their credentials or banking details. Keep in mind the following when scrutinizing URLs and other elements around it:
- Look for letters in the URL that may have been made to look like another letter or number, or there may be additional letters or numbers in the URL.
- Look for an Extended Validation Certificate (EV SSL). You know that a trusted website has this when you see a company name beside the URL, as you can see from the below UK Paypal address. Not all sites with SSL have this, unfortunately, but some of the trusted brands online already use EV SSL, such as Bank of America, eBay, Apple, and Microsoft.
Lastly, be aware that phishers may use a free SSL certificate in their campaign to make it appear legitimate. They may also hijack sites that already have SSL in place, adding more to the veil of legitimacy they want to attain.
Other related posts:
- Phishing 101: Part 1, Part 2, and Part 3
- The growing threat of phishing
- Something’s phishy: How to detect phishing attempts
Would be nice if Google would provide this feature of going to https to their customers under their web platform Blogger. At this moment, unless I use a crude web URL that Google provides under Google Blogger, I cannot implement https. It states:
“Warning: HTTPS is currently not available for custom domain blogs”
So how about it Google? Are you going to leave your paying customers in the dark or are you going to provide this feature?
Just another way for Google to leave smaller or personal websites in the dark.
This is total bull. It’s a BIG mistake. HTTPS isn’t secures and it forces sites that have no reason to encrypt to go through hassle. Really bad idea!!!
One has to wonder about this BS move by Google to “require” websites to register as “https” sites in their never ending quest to be the biggest Internet powerhouse… Hosting services will gladly provide an SSL certificate for your website for a price – usually at a high price that is…! When was it determined that Google is king of the Internet and can continually set these “requirements” for all to follow…?
I get that Google wants websites to be “safe” but at what cost…? There are probably millions of personal sites being hosted by hosting companies but out those millions of sites, do the owners of said sites have the financial where-with-all to afford the overpriced SSL certificates…? I’m guessing the answer would be “no”… How about the hosting services provide that service at a reasonable rate along with the rate they charge for hosting websites…?
In my opinion, this is just another move on the “Internet Chessboard” for Google to share in the revenue that will be generated by hosting services selling SSL certificates that are only good for one year and have to be renewed unless you, as a website owner, have very deep pockets and can afford to purchase an overpriced SSL certificate for more than one year and for each website you may own…!
Soon, Google will demand that all who use the Internet must use their browser only…!