[go: up one dir, main page]

Editor’s note: based on industry research (from Chrome and others), and the ubiquity of HTTPS, we will be replacing the lock icon in Chrome’s address bar with a new “tune” icon – both to emphasize that security should be the default state, and to make site settings more accessible. Read on to learn about this multi-year journey.


Browsers have shown a lock icon when a site loads over HTTPS since the early versions of Netscape in the 1990s. For the last decade, Chrome participated in a major initiative to increase HTTPS adoption on the web, and to help make the web secure by default. As late as 2013, only 14% of the Alexa Top 1M sites supported HTTPS. Today, however, HTTPS has become the norm and over 95% of page loads in Chrome on Windows are over a secure channel using HTTPS. This is great news for the ecosystem; it also creates an opportunity to re-evaluate how we signal security protections in the browser. In particular, the lock icon.


The lock icon is meant to indicate that the network connection is a secure channel between the browser and site and that the network connection cannot be tampered with or eavesdropped on by third parties, but it’s a remnant of an era where HTTPS was uncommon. HTTPS was originally so rare that at one point, Internet Explorer popped up an alert to users to notify them that the connection was secured by HTTPS, reminiscent of the “Everything’s Okay” alarm from The Simpsons. When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly.


For example: we know that the lock icon does not indicate website trustworthiness. We redesigned the lock icon in 2016 after our research showed that many users misunderstood what the icon conveyed. Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon. This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon. Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety.




When shown Chrome UI in research studies, users would look at the padlock to evaluate the trustworthiness of a hypothetical ecommerce site. We showed the site controls to experiment participants. The overlaid heat-maps represent the click patterns of respondents who were asked to indicate any information which was perceived helpful in the scenario.



The lock icon is currently a helpful entry point into site controls in Chrome. In 2021, we shared that we were experimenting with replacing the lock icon in Chrome with a more security-neutral entry point to site controls. We continued to mark HTTP as insecure in the URL bar. Users in the experiment opened the site controls more, and they didn't express any confusion that can follow major UI changes.



Site controls currently accessible from the lock icon.

Based on these research results from ourselves and others, and the broader shift towards HTTPS, we will be replacing the lock icon in Chrome with a variant of the tune icon. We think the tune icon:

  • Does not imply "trustworthy"

  • Is more obviously clickable

  • Is commonly associated with settings or other controls 



We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings.



Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.


The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.




Same page controls, new icon. The lock continues to exist as a precisely scoped entry point to connection security information, but with a new top-level access point.



We’ll be replacing the lock icon on Android at the same time as the broader desktop change. On iOS, the lock icon is not tappable, so we will be removing it entirely. On all platforms, we will continue to mark plaintext HTTP as insecure.


As HTTPS has become the norm, replacing the lock icon has long been a goal both of Chrome and the broader security community. We’re excited that HTTPS adoption has grown so much over the years, and that we’re finally able to safely take this step, and continue to move towards a web that is secure-by-default.



- By David Adrian, Serena Chen, Joe DeBlasio, Emily Stark, and Emanuel von Zezschwitz, and the rest of Chrome Trusty Transport from the Chrome Security team
Labels: , ,

In 2020, we announced we were in the early phases of establishing the Chrome Root Program and launching the Chrome Root Store. 


The Chrome Root Program ultimately determines which website certificates are trusted by default in Chrome, and enables more consistent and reliable website certificate validation across platforms. 


This post shares an update on our progress and how these changes help us better protect Chrome’s users.



What’s a root store or root program, anyway?

Chrome uses digital certificates (often referred to as “certificates,” “HTTPS certificates,” or “server authentication certificates”) to ensure the connections it makes on behalf of its users are secure and private. Certificates are responsible for binding a domain name to a public key, which Chrome uses to encrypt data sent to and from the corresponding website. 


As part of establishing a secure connection to a website, Chrome verifies that a recognized entity known as a “Certification Authority” (CA) issued its certificate. Certificates issued by a CA not recognized by Chrome or a user’s local settings can cause users to see warnings and error pages.


Root stores, sometimes called “trust stores”, tell operating systems and applications what certification authorities to trust. The Chrome Root Store contains the set of root CA certificates Chrome trusts by default. 


A root program is a governance structure that establishes the requirements and security review functions needed to manage the corresponding root store. Members of the Chrome Security Team are responsible for the Chrome Root Program. Our program policy, which establishes the minimum requirements for CAs to be included in the Chrome Root Store, is publicly available here.  



Why is Chrome making these changes?

Historically, Chrome integrated with the root store and certificate verification process provided by the platform on which it was running. Standardizing the set of CAs trusted by Chrome across platforms through the transition to the Chrome Root Store, coupled with a consistent certificate verification experience through the use of the Chrome Certificate Verifier, will result in more consistent user and developer experiences. 


Launching the Chrome Root Program also represents our ongoing commitment to participating in and improving the Web PKI ecosystem. Innovations like ACME have made it easier than ever for website owners to obtain HTTPS certificates. Technologies like Certificate Transparency promote increased accountability and transparency, further improving security for Chrome’s users. These enhancements, only made possible through community collaboration, make the web a safer place. However, there’s still more work to be done. 


We want to work alongside CA owners to define and operationalize the next generation of the Web PKI. Our vision for the future includes modern, reliable, highly agile, purpose-driven PKIs that promote automation, simplicity, and security - and we formed the Chrome Root Program and corresponding policy to achieve these goals.



When are these changes taking place?

A “rollout” is a gradual launch of a new feature. Sometimes, to ensure it goes smoothly, we don’t enable a new feature for all of our users at once. Instead, we start with a small percentage of users and increase that percentage over time to ensure we minimize unanticipated compatibility issues. The Chrome Root Store and Certificate Verifier began rolling out on Windows and macOS in Chrome 105, with other platforms to follow.


Testing ahead of the rollout described above is possible on Windows and macOS using these instructions.

Will these changes impact me?

We expect the transition to the Chrome Root Store and Certificate Verifier to be seamless for most users, enterprises, and CA owners. 


The Chrome Certificate Verifier considers locally-managed certificates during the certificate verification process. This means if an enterprise distributes a root CA certificate as trusted to its users (for example, by a Windows Group Policy Object), it will be considered trusted in Chrome.


Troubleshooting procedures and other frequently asked questions are available here.



What’s next?

While we don’t know exactly what the future of the Web PKI will look like, we remain focused on promoting changes that increase speed, security, stability, and simplicity throughout the ecosystem.


With that in mind, the Chrome team continues to explore introducing future root program policy requirements related to the following initiatives:


  • Encouraging modern infrastructures and agility

  • Focusing on simplicity

  • Promoting automation

  • Reducing mis-issuance

  • Increasing accountability and ecosystem integrity

  • Streamlining and improving domain validation practices

  • Preparing for a “post-quantum” world


We look forward to continuing our collaboration with members of the CA/Browser Forum and other Web PKI ecosystem participants to make the Internet a safer place.



Posted by Ryan Dickson, Chris Clements, Emily Stark from Chrome Security
Labels: , ,


When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can't intercept or alter the data that's shared over that connection (including personal info, or even the page itself). This level of privacy and security is vital for the web ecosystem, so Chrome continues to invest in making HTTPS more widely supported.

Thankfully, HTTPS adoption has come a long way in recent years, and most operating systems now see 90%+ of page loads over HTTPS in Chrome. Still, there's more we can do to help make HTTPS the preferred protocol on the web, and better protect users on the remaining slice of the web that doesn’t yet support HTTPS, so today we're sharing some future work in this area.



Opting in to an HTTPS-First World

Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP. Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox.



Experimenting with the lock icon
As we approach an HTTPS-first future, we're also re-examining the lock icon that browsers typically show when a site loads over HTTPS. In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it's only the connection that's secure. In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon. To try and reduce this confusion, Chrome will run an experiment in M93 that replaces the lock in the address bar with a more neutral entry point to Page Info (example below). We hope that this experiment will improve the discoverability of critical privacy and security information and controls provided in Page Info, such as site permissions. Importantly, a "Not Secure" indicator will continue to show on sites without HTTPS support, and the experiment includes an enterprise policy in case organizations want to opt-out. In all cases, we'll provide advance notice if we decide to move ahead with a full launch.





Protecting users on the HTTP web
While we are excited to see users adopt HTTPS-First Mode in future versions of Chrome, HTTP connections will still continue to be supported and Chrome will take additional steps to protect and inform users whenever they are using insecure connections. Continuing from our past efforts to restrict new features to secure origins and deprecate powerful features on insecure origins, we’ll evaluate a broad set of web platform features to determine if they should be limited or restricted on HTTP webpages.

In order to focus on changes that provide the greatest security improvements to our users, we are relying on a set of guiding principles to prioritize our future work in this area:

  • Better inform users when making trust decisions about sites over insecure connections
  • Limit the ability for sites to opt out of security policies over insecure connections
  • Restrict how, and for how long, Chrome stores site content provided over insecure connections
A deeper explanation of how we plan to act on these principles, as well as an updated list of affected features will be maintained on the Chromium wiki and we are excited to announce more details later this year.

Posted by Shweta Panditrao, Devon O'Brien, Emily Stark, Google Chrome team


Labels: ,

Update (10/07/2020): Mixed form warnings were originally scheduled for Chrome 86, but will be delayed until Chrome 87.


Beginning in M86, Chrome will warn users when they try to complete forms on secure (HTTPS) pages that are submitted insecurely. These “mixed forms” (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy. Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data. 


Specifically, Chrome will be making the following changes to communicate the risks associated with mixed form submission:


  • Autofill will be disabled on mixed forms.
    Note: On mixed forms with login and password prompts, Chrome’s password manager will continue to work. Chrome’s  password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords.

  • When a user begins filling out a mixed form, they will see warning text alerting them that the form is not secure.

          


  • If a user tries to submit a mixed form, they will see a full page warning alerting them of the potential risk and confirming if they’d like to submit anyway.

        



Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms.


We encourage developers to fully migrate forms on their site to HTTPS to protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.


Posted by Shweta Panditrao, Chrome Security Team
Labels: , , ,