Today marks the release of Google Chrome Version 46, which contains a notable change in Chrome’s SSL UI
Google Chrome shows a security indicator to the left of the URL in the address bar – that’s where the Green Padlock and Green Address Bar live. There were also three other states that the indicator could take: a white “Page” icon used for HTTP connections, a lock with a yellow “caution triangle” for HTTPs with minor errors, or a lock with a red “X” for HTTPs with broken (insecure) configurations.
That meant there were four total states of UI for a website’s SSL configuration. Today that has been reduced to three; the lock with yellow “caution triangle” was removed. This icon was primarily seen when a website had “Mixed Content” – this means they were using HTTPs but some of the resources on the page were loaded over HTTP – a mix of both secure and insecure origins, hence the name. You may also have seen this icon for websites using a SHA1-signed certificate expiring in 2016.
The icons and their display criteria are best shown below. This image came from Google’s Security Blog describing today’s changes:
Take a look at that yellow “Caution Triangle”. Doesn’t look so friendly does it? We view that icon negatively because we have seen similar icons elsewhere… such as on product packaging and road signs, which indicate to proceed with caution. Which is good advice! Because a page with Mixed Content can leak important information or be used for a phishing attack. However it unfairly penalized sites for trying, and using SSL on some of your resources is better than none.
Website administrators and operators may have been hesitant to adopt SSL because the yellow Caution Triangle was perceived more negatively than the white Page icon reserved for HTTP, which was doing more harm than good. See, Mixed Content isn’t always so easy to fix. Sometimes websites use external resources and services which don’t offer HTTPs as an option. Other websites may have deployment programs using hard-coded HTTP URLs or just have large archives and the lack of resources to update them all.
So, what does this change really mean? It has two great benefits. For one, it reduces the complexity of Chrome’s SSL UI. We know that most Internet users have only a casual familiarity with web security, so simplifying the amount of work they have to do to know when they are secure is a good thing. Secondly, this change makes it easier for websites to adopt SSL without the browser appearing as if there is a problem. This lowers the bar for implementing SSL and simplifies the lives of web developers and admins.
For those who are eagle-eyed, you will still “https://” in the address bar, showing that the site is using SSL but isn’t totally secure. For those who need to know even more, you can still click the icon and view the “Connection” tab to read more about the particular issue. There you will see the “Caution Triangle” alive and well.
Of the major browsers, Microsoft’s Edge, Apple’s Safari and Opera already treated mixed content in similar ways. Mozilla’s Firefox is the only browser to retain a warning for passive mixed content.
Google Chrome has one of the most progressive and dedicated security teams. They have been making major improvements in Chrome’s handling and communication of SSL-related messages.
As they roll out their improvements we will be sure to keep you updated on the current status of SSL UI in Chrome and other web browsers.
If you need SSL for your site, take a look at our product offerings. We work with the most well-known Certificate Authorities and have a cert for everybody – from a small blog to major corporations, and everything in between!