Pages

Thursday, 7 June 2018

How your web browser tells you when it's safe

secure encrypted internet web browser address bar

As Google moves to change how its Chrome browser flags insecure websites, rival browsers may be forced to follow suit. Here's how other browsers currently handle website security and what changes they have coming.

 

Google last week spelled out the schedule it will use to reverse years of advice from security experts when browsing the Web - to "look for the padlock." Starting in July, the search giant will mark insecure URLs in its market-dominant Chrome, not those that already are secure.

Google's goal? Pressure all website owners to adopt digital certificates and encrypt the traffic of all their pages.


The decision to tag HTTP sites those not locked down with a certificate and which don't encrypt server-to-browser and browser-to-server communications - rather than label the safer HTTPS websites, didn't come out of nowhere. Google has been promising as much since 2014.

And Google will likely prevail: Chrome's browser share, now north of 60%, almost assures that.
Security pros praised Google's campaign, and the probable end-game.

 "I won't have to tell my mom to look for the padlock," said Chester Wisniewski, principal research scientist at security firm Sophos, of the switcheroo. "She can just use her computer."

But what are Chrome's rivals doing? Marching in step or sticking to tradition? Computerworld fired up the Big Four - Chrome, Mozilla's Firefox, Apple's Safari and Microsoft's Edge - to find out.

Safari

Apple's browser currently uses the traditional model of signage: It puts a small padlock icon in the address bar when a page is protected by a digital certificate and traffic between the Mac and site server is encrypted.

No padlock? That means the site does not encrypt traffic.

Recent versions of the browser, however, take additional steps in certain circumstances. If the user is at an insecure site one not locked down with a certificate and encryption and attempts tasks such as entering info into log-on fields or those designed to accept credit card numbers, Safari throws up a red text warning in the address bar that starts as Not Secure and then changes to Website Not Secure.

Those hard-to-miss alerts debuted with the version of Safari bundled with macOS 10.13.4, an update issued March 29. (Mac owners running OS X 10.11 (El Capitan) or macOS 10.12 (Sierra) got the same functionality in the Safari 11.1 update on the same day.)