back to article Half-secure not good enough for Chrome users says Google

Google has stepped up its effort to make Web site security a little more comprehensible to ordinary users, farewelling the yellow triangle nobody understands. While the decision falls under the “and it's a good thing too” heading for security experts, there's no doubt it will cause some angst among people whose sites include …

  1. Dan 55 Silver badge

    Security is layered

    So why are browsers moving to a black/white description of security when showing security information to users?

    Perhaps a points-based award like several browser plugins do... Or a points-based award mapped onto a text description. Or colours. Or something similar.

    1. DaLo

      Re: Security is layered

      "Security is layered

      So why are browsers moving to a black/white description of security when showing security information to users?"

      Maybe, but with IT if something is 'almost secure' then can it actually be classed as 'secure'. With mixed content it is pretty hard, even for the web developer sometimes, to know what content is being loaded insecurely, so how is the visitor supposed to know whether it is something crucial or not (generally they will just carry on regardless).

      1. Dan 55 Silver badge

        Re: Security is layered

        1. "This website is secured."

        2. "This website somewhat secured but does not follow best practice. You may be liable for security failures which could have been avoided by the website owners."

        3. "This website is not secured. Do not use it for banking, government, or buying products on-line."

        I guarantee if message number 2 appears in people's browsers (in other words, another version of the warning triangle with a bit of text spelling out that they're not doing it right), banks, gov, and e-commerce will come under pressure to pull their finger out.

        1. DaLo

          Re: Security is layered

          "This website somewhat secured "

          That is meaningless. Is my data secure or not?

          The yellow triangle hasn't caused many site owners to pull their finger out even though hovering over it says the site isn't secure so adding some text isn't going to make much difference.

          However option 3 for all insecure sites is much more likely to make a difference to the action by the site owner to remedy the situation.

  2. This post has been deleted by its author

    1. frank ly

      Re: Why...

      Conspiracy theories in a comment please........

    2. Dan 55 Silver badge
      Trollface

      Re: Why...

      Worstall was put in charge and he decided that it would be better if El Reg pushed the cost onto the commentards. We have to PGP encrypt the comments ourselves and swap keys in the forum.

    3. Throatwarbler Mangrove Silver badge
      Meh

      Re: Why...

      Why bother?

  3. Your alien overlord - fear me

    Well, Chrome on Android helpfully cuts off the http(s):// from the front of websites so they'd better bring that back if they aren't going to give little icons showing how insecure pages are.

    1. Anonymous Coward
      Anonymous Coward

      I'm guessing the idea is that a "partly secure" page (https mixed with http) will appear in the browser the same as a "completely insecure" page (http)

      This should put extra pressure on site owners - just sticking a https certificate for your main HTML content isn't good enough.

  4. Anonymous Coward
    Anonymous Coward

    "users clicking “OK” on anything they don't understand"

    Not quite sure why researchers "complained " about something which has been a foundation stone of security systems and processes !

    In a nutshell -

    1) Users are NOT security boffins

    2) Users don't want to have to make decisions (they could be blamed for!)

    3) First and foremost users want unimpeded use of their techie toys.

    In other words security systems need to be as non-obtrusive as possible and work in the background or they will be spurned by end users.

    Any introduction to IT Security will have a sentence to the effect that the role of security systems is BOTH to deter unauthorised access/use AND to facilitate access/use for legitimate users....a statement which seems to have been quickly forgotten :-)

    Instead of "complaining" about human psychology Mountainview Boffins might try to remember that - unlike them - the average user does not dream of elliptic curves and would not recognize a piece of malware if it stared them in the face !

    1. Anonymous Coward
      Anonymous Coward

      Re: "users clicking “OK” on anything they don't understand"

      This user (me) is a security boffin, and I know that my site certificate issued by my internal CA is trustworthy, to me. I didn't pay for an EV certificate or even a standard certificate or even a free certificate, but I still trust it more than any site that I don't control.

    2. Charles 9

      Re: "users clicking “OK” on anything they don't understand"

      Problem is they are frequently at odds. It's like with deadbolts; some people just don't like them. What do you do when the least acceptable level of security is also past the most acceptable level for inconvenience?

  5. Drefsab_UK

    I welcome this, people say security is layerd but mr average doesn't understand that. If he connects to a site that uses HTTPS its secure surely its using HTTPS, any techno babble wont be understood it has to be black or white,

    If you say to someone this site has a SSL ceritifcate signed with a SHA1 algoritham they wont know what that means. If you say this SSL BAD!, they get it.

    Sure put the information in there but sadly we have to cater for the lowest common denominator.

  6. bigtimehustler

    Makes sense to me, if your serving your pages using https, it isn't rocket science to make sure you serve static content over https as well. To be honest, neither myself nor any company I have worked for has ever served mixed content as its clearly going to make users think the page might not be secure.

  7. Anonymous Coward
    Anonymous Coward

    When I read the title

    I thought Google were junking their tracking and data harvesting programs to increase our security, but no, they're just spouting the usual carp, making users think Google cares about their security and, of course, while news sites suck it up and continue hyping up the biggest privacy invader.

    The NSA and GCHQ might gather information about eveyone online, but Google actually uses information it gathers about it's proles all day, every day. I doubt the security services actually use the data they collect on us all to the same extent.

    However that said, it doesn't excude the [expletive deleted] surveillance programs.

  8. JanMeijer

    about time

    Design for users who've got better things to do with their time.

  9. Anonymous Coward
    Anonymous Coward

    Yet another reason for us developers NOT to use Chrome. It helps to see at a glance when an HTTP link slips into an HTTPS site. Common problem. So... flood us with "OMFG SITE IS INSECURE!!!" reports, make us dig deeper, add MOAR FRICTION, slow us down.... score one for entropy!

    I suppose the next Firefox release will slavishly follow suit, and I'll start doing development in Pale Moon.

    1. Anonymous Coward
      Anonymous Coward

      Or, you know, just design the site to be secure.

      Like what your job is.

      /me runs away giggling

  10. oneeye

    Firefox on Android is best !

    I use Chrome sparingly,but Firefox offers more security options. And the new Adblock Plus browser for Android is based on Firefox,but add-ons are not compatible yet. And Ghostery makes a great browser too. They beat Adblock by almost a year.

  11. Steve Jackson
    Stop

    Just take a look in the Highway Code

    Traffic lights all mean STOP and green doesn't even mean full steam ahead.

    Why is it always motoring analogies that work well when applied to computing...

  12. JimBob01

    What is checked?

    Is this a straight mixed content check?

    Does the check fail if the https implementation is poor, eg SHA1 cert, cert issued by SHA1 cert, PFS not available, etc

    Does it check if encrypted content is traversing a 3rd-party CDN that is MiTM’ing some/all of the encrypted traffic?

    What does the green padlock actually mean?

    And is a site that gets a green padlock actually secure?

    And on a side note - Why does Google think it fair to down-rank a site that dosn’t use https even when all data transferred is public domain, eg news sites?

    1. Charles 9

      Re: What is checked?

      Chinese Cannon ring a bell? ANY unencrypted connection can be hijacked and injected with malware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like