The Downsides of Google’s Chrome Security Push

Google has world class security and privacy teams, but I continue to have misgivings about certain aspects of their Chrome browser security push — particularly regarding warnings to users when connections are using unencrypted http: as opposed to https: encryption.

While the push to encrypt Internet connections by default is a laudable one, it is also essential that fundamental aspects of practicality and user reactions also be carefully considered.

I touched on some of this over a year ago in “Falling Into the Encryption Trap” — but now that Google has made more explicit their plans for browser address bar warnings to users regarding http: connections, I’m again concerned.

Apparently in January of next year Google intends to replace the current quite reasonable “information circle” indicating non-encrypted pages, with an explicit “Not secure” warning — ultimately to be displayed in bright red with a danger triangle.

I am absolutely certain — based on the many queries I receive routinely from users who are already confused and concerned about other security warnings they see and misunderstand — that the escalation to these sorts of warnings by Chrome will vastly and unnecessarily increase confusion and even panic among significant categories of non-techie users when accessing various sites important to them.

Because the truth of the matter is that it remains both impractical and unnecessary for all sites to convert to https: at this time.

It is certainly true that theoretically any site could become a vector for misinformation or malware via man-in-the-middle manipulation of their connections, and the use of various insecure and/or poorly managed ad networks increases the risks in this context.

But as a practical matter, the vast majority of exploits that users must contend with do not come from the manipulation of Internet connections. Rather, infections via email phishing, contaminated sites, and similar techniques represent the overwhelming majority of successful attack vectors.

Still, it is inarguable that all else being equal, having all connections as encrypted https: rather than unencrypted http: is extremely desirable.

Unfortunately, all else isn’t equal.

There are uncountably vast numbers of legacy sites that provide widely referenced information to enormous numbers of users, yet do not sell anything, don’t collect usernames or passwords or other private information, and don’t participate in any ad networks.

Many of these sites have been online not just for many years, but even for decades. They typically use older software systems that are difficult or impractical to directly update, and frequently operate on a shoestring (or even zero) budget, while not creating any income at all.

It will frequently prove impossible from a money and/or time standpoint for the operators of such sites to convert to https: — yet Chrome’s warning system will likely confuse their users into assuming that they are actually being spied on — rather than the actual fact that such surveillance is in any given case theoretical (and in practice an extremely low probability) on those individual connections.

And while the cost of encryption certificates has now dropped to zero with the advent of services such as “Let’s Encrypt” — the effort required to actually make them work can be anything but trivial.

I recently converted all of my sites, some of very long standing, to https: using Let’s Encrypt. Even though my sites are not fancy in any way, it was an enormous amount of work, and required every ounce of knowledge I had regarding the sites’ internal architectures. While Let’s Encrypt promotes scripts to supposedly handle such conversions automatically, I cannot recommend those procedures except for the very most trivial and simplistic of sites — anything beyond that and you’re liable to end up with a mangled site configuration nightmare — you’d better have good backups handy!

I’m frankly uncertain how to best achieve a practical compromise position regarding browser security warnings.

I do know that a scary red “Not secure” warning is likely to unnecessarily panic many users and unreasonably disadvantage many sites.

This is especially true when there is no explicit indication to users as to how they can obtain more information about that warning — such as what does it really mean in terms of actual risks? — in language that non-techies will actually understand. Even now, the security details that Chrome provides if one knows to click on the address bar security icon are pretty much technical gobbledygook as far as most users are concerned.

My sense is that despite their great skills in privacy and security matters, Google has not genuinely considered the impacts of their upcoming browser warnings on significant segments of the user and site populations, who by and large do not live 24/7 in the same rarefied security worlds as do many of us.

Luckily, this is a fixable problem, if Google is willing to put forth the effort and outreach to fix it. I respectively urge them to do so.

Be seeing you.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!