Google Chrome to no longer show secure website indicators

Tutman

Level 12
Thread author
Verified
Top Poster
Well-known
Apr 17, 2020
542
Google Chrome will no longer show whether a site you are visiting is secure and only show when you visit an insecure website.
For years, Google has been making a concerted effort to push websites into using HTTPS to provide a more secure browsing experience.
To further push web developers into only using HTTPS on their sites, Google introduced the protocol as a ranking factor. Those not hosting a secure site got a potentially minor hit in their Google search results rankings.
It has appeared to have worked as according to the 'HTTPS encryption on the web' of Google's Transparency Report, over 90% of all browser connections in Google Chrome currently use an HTTPS connection.

Currently, when you visit a secure site, Google Chrome will display a little locked icon indicating that your communication with the site is encrypted, as shown below.
Security indicator shown in address bar



As most website communication is now secure, Google is testing a new feature that removes the lock icon for secure sites. This feature is available to test in Chrome 93 Beta, and Chrome 94 Canary builds by enabling the 'Omnibox Updated connection security indicators' flag.
Security indicators to be removed in Google Chrome


With this feature enabled, Google Chrome will only display security indicators when the site is not secure, as shown below.
Showing 'Not secure' indicator for insecure sites



 

Gangelo

Level 6
Verified
Well-known
Jul 29, 2017
268
Noone looks for the padlock, not even the computer savvy users. I know I don't.
It's funny how this has turned into a major matter in various forums.
Few will care and even fewer will notice.
The 'Not Secure' indication is more important IMHO.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Interesting decision. I know one of the few things my elderly family members managed to learn was 'look for the padlock'. If this flows through to Edge I'll have to ask them to make sure it doesn't says Not Secure instead
Just like my mother-in-law felt unsafe because they don't show green for EV certificates when she visits the site of her bank.
I installed the certificate info extension for her.
They don't think about the elderly when making these kind of changes :mad:
 

qua3k

Level 1
Jul 18, 2021
19
Just like my mother-in-law felt unsafe because they don't show green for EV certificates when she visits the site of her bank.
The reason behind this change is because of situations like this one. Users should be looking for negative feedback instead of trivially faked positive feedback; non-secure sites have been known to fill pages with locks indicating 'secure'. EV certs also don't work to protect users, which is why the info was also hidden. See
I installed the certificate info extension for her.
Extensions are insecure. Granting an extension the ability to script all origins and communicate to an external server is harmful.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
The reason behind this change is because of situations like this one. Users should be looking for negative feedback instead of trivially faked positive feedback; non-secure sites have been known to fill pages with locks indicating 'secure'. EV certs also don't work to protect users, which is why the info was also hidden. See
Extensions are insecure. Granting an extension the ability to script all origins and communicate to an external server is harmful.
I absolutely don't agree. I see is no real evidence that it didn't work to protect users. Even if it saves one user from fraud it is a win.
The banks still use an expensive EV certificate. Why not show that?
When the site of her bank didn't display the green field in Internet Explorer my mother-in-law called me for advice before entering that site.
That was a wise thing to do. When in doubt ask first.
The only way to replicate the behavior (that she is accustomed to) in a modern browser is with the certificate info extension.
That extension only receives the hostname. I don't see the harm in that.
Due to the limitation of Chrome's extension API, the validation info needs to be fetched from the server, which only receives the hostname. In TLS, hostnames are already submitted in plaintext because of SNI.
 
Last edited:

qua3k

Level 1
Jul 18, 2021
19
I absolutely don't agree. I see is no real evidence that it didn't work to protect users. Even if it saves one user from fraud it is a win.
Suggest you read the linked resources. There have been multiple studies conducted on this. EV certs fundamentally don't work. Oh look, a Stripe, Inc EV cert. You should talk with your mother and tell her to look for the 'Not secure' feedback instead of the flawed positive feedback. Additionally, take a look at Moxie's SSLStrip talk where he uses positive feedback to his advantage.

That extension only receives the hostname. I don't see the harm in that.
Content scripts run in the context of all tabs and introduce new dangerous attack surface that can be used to bypass Chrome's site-bound renderer isolation. An extension has the ability to access everything in the DOM. I fail to see how this isn't a serious concern, especially with an extension that can communicate with a third party server. Justin Schuh, previously Chrome Security Lead, echos these concerns.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Suggest you read the linked resources. There have been multiple studies conducted on this. EV certs fundamentally don't work. Oh look, a Stripe, Inc EV cert. You should talk with your mother and tell her to look for the 'Not secure' feedback instead of the flawed positive feedback. Additionally, take a look at Moxie's SSLStrip talk where he uses positive feedback to his advantage.


Content scripts run in the context of all tabs and introduce new dangerous attack surface that can be used to bypass Chrome's site-bound renderer isolation. An extension has the ability to access everything in the DOM. I fail to see how this isn't a serious concern, especially with an extension that can communicate with a third party server. Justin Schuh, previously Chrome Security Lead, echos these concerns.
Of course, EV certificates aren't foolproof, nothing is nowadays, but they are better than nothing and still used by for example all the banks in my country.
The comments on some of the articles are interesting:
Your attitude is exactly what's wrong with Chrome.

"Most user don't use it therefore let's remove it", but there are people who understand and there are people who care, and there are situations where it does matter.

This is not a problem with EV or the SSL tech itself, it's a problem of user education and awareness. Rather than removing the EV indicator, what Chrome should have been doing is to educate users on how to protect themselves. What's missing is advocacy and tools to make it easier to be warned when a site that should be using EV, unexpectedly stop doing so. The EV indicator and certificate inspector is working just fine, people who relies on them uses them for what they are: one of the many tools in your arsenal to evaluate a site's identity. You and the Chrome people treats every internet users like idiots.
I am very sorry to say it so clearly, but you are wrong in many ways.

1) Because EV is no longer visible, it is in fact dead. Or would you expect that your 500 Employees must klick to the SSL Icon and manually check it? Would you trust that they are doing it? Of course not. EV is dead because its benefits are not transparent.

2) We have 650 employees. It's really extremely easy to explain them that they have to pay attention to the Green Bar.
Our tests also showed that this simple training worked very well: when we activated a normal certificates, even non-technical users raised the alarm.

3) Of course CyberCrime works the easier they can steal credentials. Without EV and minimal trained employees, it's *extremely* easy to clone any Login page. You just have to send an E-Mail to the Employees and hope that 1 of 1000 uses the provided link. With a transparent EV you would have to send 1'000'000 Mails, because if one employee sees the missing green bar on the fake site, then our Mail Filter will kill those mails and the Employees get a new training session.

Yes, it's a shame that the industry decided to kill EV. The don't even offer to keep it using.
It feels like they get money to remove security, because: in fact: who was legitimately disturbed at the green bar or was even hindered in his work?

Killing the EV is the same sick thinking as one of our WLAN providers has:

They do not encrypt WLAN because: "it can be hacked anyway."
I agree with you that using an extension is not the best solution.
Does anybody know an up-to-date modern browser that still shows a green lock for sites with an EV certificate?
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,052
Does anybody know an up-to-date modern browser that still shows a green lock for sites with an EV certificate?

As already mentioned by @Moonhorse => Vivaldi still shows the "green lock" for websites with EVC

EVC.png


Note: Honestly, I don't know it works for all banking websites in Europe or even around the world...
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
544
In Firefox you can enable in the about:config settings the Extended Validation (EV) certificate name for any website in the address bar. There you can also change the color of the padlock (of course not the best solution for colorblinds). See https://www.askvg.com/firefox-tip-r...icon-for-secure-https-websites-in-address-bar
I don't use Waterfox, but I know that it also shows the green padlock.
Edit 1: by the way, I don't like to add extensions for this kind of stuff.
Edit 2: Obviously the first setting doesn't work anymore. Sorry.
 
Last edited:

qua3k

Level 1
Jul 18, 2021
19
they are better than nothing
They are actively worse than nothing. It’s trivial to register a business and an EV cert and relying on “the green indicator with the name of my bank” is harmful. “Banks use them therefore they still have value” does not justify harmful UI design. Browser vendors didn’t only do this because nobody changed their behaviors based on whether they saw the green padlock. I know you don’t like it but it’s the reality of it.
They do not encrypt WLAN
WPA should not be used as a security boundary; use strong authenticated encryption and avoid putting unnecessary trust in local networks.
 
Last edited:
  • Like
Reactions: Venustus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top