Secure in Chrome Browser Does Not Mean Safe
Many smaller sites, like ours , are being pushed into using secure servers or else be tagged as “dangerous”. Sites that don’t move to SSL / TLS (https) secure servers by October will display this warning to Chrome users:
Starting in October 2018, Chrome users will see the above warning for all sites not running on a secure servers (https://).
Currently, users who visit a site not using SSL / TLS / HTTPS or “secure servers”) see much milder notice like the one shown below:
In September, because we want to keep our little business, we’re going to have to spend hours and dollars moving to a SSL/TLS/HTTPS, even though we don’t need to, because we never ask or or store any personal information.
Our forms ask only for a name (can be first only if you like), and email address and information about the service your inquiring about. Any sales we make are made offsite on a secure encrypted server (PayPal). So, our site and you, when you visit us, are perfectly safe the way things are – no SSL/TLS/HTTPS (secure server) necessary. And but for Google, we’d be able to continue on with business as usual helping people, fixing computers, etc. But Google has hundreds of billions of dollars and we have very little – so you know who’s going to win the battle.
We have no choice; in September will be spending many hours and dollars doing something unnecessary only to appease Google… and it will not make our site or your visits to our site one bit safer.
That’s not to say that SSL/TLS/HTTPS (secure servers ) are not necessary. Banks, Online Stores, Government Websites, Credit Card sites or any sites that ask for sensitive and/or confidential information should be on secure servers. But mom & pop sites like ours or other small sites and blogs don’t need to be on secure servers. But we’re going to appease Google, need it or not, next month.
Google doesn’t want you to know this, but “Secure” does not mean “Safe”. To learn why, please read the following article written by security expert Mark Maunder from Wordfence:
‘Secure’ in Chrome Browser Does Not Mean ‘Safe’
Written by Mark Maunder
Google’s Chrome web browser is used by over 50% of users on the web. When you visit a website that is using SSL, otherwise known as HTTPS or TLS, you see a green message in your browser location bar that says “Secure”.
“Secure” in Chrome browser does not mean “Safe”. In this post I will explain why in terms that are easy to understand and tell you what to do about it. I’ve written this post to be easy to read. I’d like to encourage you to share it with friends and family to help them stay secure.
For our technical readers, here is a summary of what we discuss in this post:
- We show that SSL certificates are being issued by more than one certificate authority (CA) to phishing sites pretending to be Google, Microsoft, Apple and other well-known companies.
- A valid certificate causes Chrome to show a website as “Secure”.
- When a certificate is revoked once a CA realizes they should not have issued it, we show that Chrome still shows the site as “Secure”. The “revoked” status is only visible in Chrome developer tools.
- Malicious sites that have been issued valid SSL certificates take some time to appear on Chrome’s malicious site list. We show that the safe browsing list can not be relied on as a backup mechanism to protect users from malicious sites with valid SSL certificates.
What does “Secure” actually mean in Chrome browser?
In order for a website to be labeled as ‘Secure’ by Chrome, it needs to set up SSL on its web server. As part of that process, it needs to contact a certificate authority (CA) to get a ‘certificate’. The CA is supposed to verify that the website owner actually owns the website. This process is called ‘domain validation’. Other than verifying that the domain owner actually owns the website, the CA is not required to do anything else.
In Chrome, when you see “Secure” in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. It also means that the person who installed the certificate on the website actually owns the site domain. It does not mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else…
Hi TC & EB,
My my how the world turns as gradually the ‘little people’ are gradually ensnared buy the ‘big guys’, and whether right, wrong or indifferent the ‘big guys’ win.
The great American salutation, “In God We Trust” is an age-old scam because Google, Yahoo and crooked politicians only pay lip service to the salutation, I sure can bet that the Google management, the world-wide banker billionaires, et al, also pay lip service to the salutation all the while picking pockets.
Trust in who or what, because the old, Fair Play assistance will never eventuate from a above, below or beside good people.
Take action against the ‘Big (smallminded) Guys’, Mozilla Firefox, Opera, Bing and Edge are in the wings ….. how can someone ‘love Google. Gmail, You Tube, Sneaky, Spying, Lying, Cheating, money grubbing scroats’ who are determined to rule the world via The Internet.
Hear this, Tim Berners-Lee, a British man created the Internet, USA, Google or other entity will never own the Internet …. no-one owns ‘the sky’, or ‘electricity’, or ‘rain, ‘sun, ‘moon, ‘stars, ‘Universe, ‘pretend God’ or even Infinity.
CloudEight …. you do not need Google … I don’t either, as much as I don’t need a hole in the head, Farcebook, Google and associated crap-ware can go ‘app’ themselves into infinity and continue to be useless for the true being and the greater good of mankind on this planet Earth…………..
Google, quit with the god aspirations …. your true benefits to mankind have yet to be constructed…..!!!!
3 times in the last 9 months I’ve lost access to everything on my desktop. nothing I do helps. Even after reboots nothing works, not even the links on my task bar. Every time I have to reload Windows 10. What is causing this?
I’d have to see your computer to make an educated guess, but my first guess would be you have hard drive problems & my 2nd guess would be that you have incompatible hardware. But these are guesses – I can’t “see” what’s going on unless I could look at your PC. But I can tell you that this behavior is not typical.
Don’t take it personally. Since your site is a very miniscule part of the millions of other sites Google handles you have to embrace their policy for good of all others. I just can see a company that serves millions of customers making exceptions even when they are only”mom and pop” sites. I guess this is the price of doing business. Better to embrace it and avoid lost customers. Microsoft and other large companies all do the same thing in one way or another.
As for the article by Mark Maunder, it is only one article of many on the subject. For every non-conforming article there are hundreds of others that agree with Google.
I wonder if now you will start bashing Google like you do Norton because of Norton flagging your site.
Don’t get me wrong I enjoy reading your articles, and have learned a lot from them. You definitely provide a great service for all of us especially seniors.
How sad you think this of us… and how sadly misinformed you are.
Yes, Jackie, that was rude to say to Cloudeight. They really only have “us” their faithful and appreciative readers at their best interest. They promote Emsisoft which I have and if I ever have an issue…I can email that Company directly and personally have a person answer me and work with me until the issue is solved. Can you say that about Norton, which is a big resource hog on your computer and a big cost on your pockets. Darcy and TC take many hours out of their life to help us. In fact, they must live computers cause I don’t know how they have much more time for anything else.
Don’t criticize a small business person trying to get by and make a living. That just upset me very highly and I don’t even know these folks personally, but they are always there to help us when we have a computer problem. My gosh, please have some common courtesy !
I agree with Annabelle. I would not want to be without Cloudeight. Where else can you find a newsletter like Cloudeight? Just about everything I know I learned from it. Where else can you find the kind of individual help they give when you’re in a dilemma. As well, I never download anything unless it is first approved by TC and EB. TC and EB are worthy of appreciation, not discouragement.
Aw shucks, thanks Jean!