Google Chrome will start marking web sites as insecure sometime this January that do not use a secure certificate to secure their web site. This is Google’s push is to make the web more secure – or should we say encrypted. Installing a secure certificate on a web site allows it to use the https:// protocol and will display a green pad lock in Chrome (and similar in other browsers). For now without it, a little black exclamation mark in a circle appears if a web site is not using a certificate – and eventually may say “Insecure” beside the url.
Using a certificate is imperative for web sites that collect user data with forms and an absolute requirement when receiving sensitive data (credit card numbers, personal details, usernames/passwords, etc). I would never, ever, enter important information in a web site that is not encrypted. When your browser talks to a web site this information can pass through dozens of intermediary locations – any one of which can log or drop in and view your web traffic. With free unsecured WIFI networks popping up everywhere encryption is even more important to protect your information.
My worry with this, is that having Chrome say that a site is “Secure” is going to make people think it is safe as well. In reality a site using a certificate could easily contain viruses, malicious software or harmful scripts, be a phishing web site or simply employ loose security like storing passwords in plain text. This is going to create a false sense of security for non technically-savvy users. This is made easier by services offering free certificates like Let’s Encrypt – where there are minimal checks and balances required to setup a secure certificate and anyone including hackers can do this on their servers in minutes. What “Secure” protects you against is eaves dropping from hackers and rogue governments. It won’t protect you from installing a virus, hiding your internet history from your spouse or even hiding the sites you visit from big brother (dns lookups are still unencrypted). It won’t protect your information if the web service you are using is hacked. When shopping online or trusting your information with any web service, a certificate is just on of many things they should have in place to keep your information secured.
This article offers some insight into how hackers have been able to use Let’s Encrypt to secure their malware.
Making sure the certificate is installed right is just as important as having one (remember Heartbleed and the CRA). Qualys SSL Lab has a great tool here to check your certificates and what ciphers and protocols a web site is using and if it is susceptible to any known vulnerabilities.
Our recommendations are to check the certificate to see who issued it, if it is one of the big trusted authorities then you are fine for e-commerce and other really sensitive data, if it is Let’s Encrypt or another free encryption service that is probably fine for usernames/passwords or basic contact information. Make sure your operating system and browser is up to date, always take caution when downloading files no matter where they come from and always use different usernames and passwords for different web sites.