Understanding Google Chrome’s Upcoming https Changes

Can a single word create broad-sweeping implications to how we use the internet? It most certainly can, and an upcoming software update to Google Chrome may drive a false sense of security while shaming other sites all due to a single word: Secure.


If you’re reading this while on Google Chrome, you likely noticed at once point or another the Omnibox that says this site is secure. There is a green lock next to it, it’s front and center, and even the https part of the URL is highlighted in green.

To a majority of web users, this little lock and notice of the site being secure means that the site may be safe or legitimate; however, that is just an unfortunate misunderstanding of what https really mean. Https does not inherently and fully mean that a site is secure. It only means that there is secure or encrypted communication between the site and server.

Case and point: our threat intelligence manager’s article that was published last December, which in turn gained further coverage on Wired, Krebs, and a few other sites. In that piece we highlighted how threat actors were using more phishing sites with https enabled on them due to the perceived trust, which further misleads would be victims.

\In a few months when Google Chrome launches its next big update, the Omnibox will further create a divide between sites that do and do not use https. Once updated, Chrome will begin to shame sites that don’t use https by listing “Not Secure” in the omnibox. Currently sites that don’t use it show no identifier and only their regular URL. In turn, marking or shaming these sites could further emboldens the definition and misconception of what https actually means for a website.

Phasing out Symantec SLL Certs

In addition to the shift in messaging coming to Google Chrome’s Omnibox, the new version of the browser will also discontinue support for Symantec-issued SSL/TLS certs. This could pose a larger issue of trust as there are tens of thousands of sites that use them or a cert brokered through Symantec as a third-party.

This change means when the software update rolls out, people who visit these sites using Chrome will be presented by a full screen warning stating that their connection is not private and someone could steal their information. Now that is a quick way to lose traffic and scare your users, especially when they must choose to progress forward past the warning.

"Starting with Chrome 66 (April 17, 2018), Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016"

I am on Chrome canary (already 66), and A LOT. LOT. of websites are in error. pic.twitter.com/1Ia8iZqZRO

— Vincent Voyer (@vvoyer) February 3, 2018

Article Link: https://info.phishlabs.com/blog/google-chromes-https-changes-omnibox