Spotlight: Your Browser is Speaking (and You Should Listen)

Posted October 17th, 2017 at 3:27 pm.

Community members often report that it’s hard to understand messages or icons that may appear in their browser.  They don’t know which messages are informational, and which represent real issues.

Modern browsers have many subtle ways to communicate, and some of the messages they’re sending are a big deal.  Being able to decode these is a major piece in the puzzle of safety on the Web.

Note: Examples in this post unless otherwise noted are from Google Chrome (version 59), Bryn Mawr’s recommended browser.  Other browsers have similar signals which may appear slightly different but have similar meanings.  See the browser developer’s help pages for more information.

Browser Signals

Your browser communicates a lot of information in the address bar. The most critical piece of information is the security status of the site you’re communicating with.  Most browsers use a combination of colors and icons to let you know if you are safe.

In Chrome, for example, you will see icons in red, gray, and green.  The most common are these, appearing at the left of your address bar:

  • Lock Secure
  • Info Info or Not secure
  • Dangerous Not secure or Dangerous

These descriptions come from https://support.google.com/chrome/answer/95617. Yes, two of those options say “not secure”…we’ll get back to that in just a moment.

You may also see the insecure content icon Insecure content on the right side of your address bar, next to the bookmark star.

What do these mean?

The icons shown above all have to do with the security certificate of the site.  There’s a detailed explanation of certificates available from the US-CERT (part of DHS), but these are the basics, per Google:

“When you go to a site that uses HTTPS (connection security), the website’s server uses a certificate to prove the website’s identity to browsers, like Chrome. Anyone can create a certificate claiming to be whatever website they want.

To help you stay on safe on the web, Chrome requires websites to use certificates from trusted organizations.”

Lock Secure

When you see the green padlock, you know that the certificate is from a trusted provider and has been issued for the address and server you are trying to reach. This means that the connection between you and the server is encrypted (safe) and you can enter personal or sensitive data.  Most browsers use some combination of closed padlock icons and green text to indicate this state.

Some sites purchase an additional level of certificate verification, which makes the name of the organization or site appear instead of the word “Secure.”

While this extra level of verification is a good thing (and you should definitely expect it from your financial institution), a site that simply says “secure” is not necessarily suspect. Green means verified and using security considered valid by the browser.

On the other hand, green does not necessarily mean go.  You should look at the URL (or Web address) and make sure you ended up where you were planning to go.  In the first example, the site is an ftc.gov site.  Sounds good.  However what if you had been trying to find US consumer information and ended up at an address reading “https://scam.usa-is-terrible.ru”?  Someone in may have registered this Russian domain, and have a valid security certificate for it (“Secure”), but it’s still not a place you want to be.

Info Info or Not secure

Google uses this icon to indicate that a site is not secure and your communications with it are not private, but that it is not clearly malicious and you should use judgement before proceeding.

In this example, the address is for a site that posts news articles.  While it’s a good general best practice to always use HTTPS (rather than the unsecured HTTP), in this case there may be no reason to be concerned, especially if you aren’t planning to log in or enter any data.

Beginning in October, 2017 Chrome will begin warning users that an HTTP page is not secure under the following circumstances:

  • When the user is entering data into an HTTP page
  • On all HTTP pages visited in Incognito/private browsing mode.

Chrome is already marking HTTP pages with password or credit card fields as “Not Secure.”

You should use caution on any site with this warning, and refrain from entering any sensitive or personal information.

Clicking on the info icon displays the following:

This menu gives you more information about the site’s security and allows you to override your security settings for the site you’re on.

Dangerous Not secure or Dangerous

This indicates not only that the site isn’t secure, but it is presenting information in a way that your browser has identified as suspect.  It may be using an outdated and insecure protocol, presenting a certificate belonging to a different address or server, or have a “self-signed” certificate (meaning it may be providing valid encryption, but that it is not issued from a trusted authority).

Google says:

“We suggest you don’t enter any private or personal information on this page. If possible, don’t use the site.

Not secure: Proceed with caution. Something is severely wrong with the privacy of this site’s connection. Someone might be able to see the information you send or get through this site.

You might see a “Login not secure” or “Payment not secure” message.

Dangerous: Avoid this site. If you see a full-page red warning screen, the site has been flagged as unsafe by Safe Browsing. Using the site will likely put your private information at risk.”

When you see this icon, you will sometimes also see  in the address bar, indicating a broken or untrusted certificate.

The Insecure Content Icon Insecure content

The insecure content icon will appear when the site is properly secured (green), but some elements included on the page are not secured.  This is called “mixed content” and is often frowned upon by Web developers. Often these items are simply ads or other harmless content, but there is reason to be cautious.

When clicking on this icon may display the error “This page is trying to load scripts from unauthenticated sources.” This error is cause for concern because those scripts may be used in forms that collect data, or may be inserted in ads or other media to maliciously collect data from or try to control your computer.  If you can avoid using a site where this icon appears, you should do so.  The good news is that Chrome won’t run the suspect scripts unless you specifically tell it to.

Learn more at https://support.google.com/chrome/answer/1342714

Warnings and Blocked Content

When your browser identifies a site as risky, you will typically also receive either a pop-up telling you the issue with the site, or in some cases the entire browser window will present a warning before allowing you to proceed.  Like the above, it may occasionally be OK to proceed, but if you have any question at all, you should not proceed, or should contact the Help Desk (x7440, help@brynmawr.edu) for further assistance.

In Chrome, if you see the red window (below) you should not proceed forward.

Chrome may also block unsafe attachments, and you will see a warning in the download bar across the bottom of the window:

Learn more at https://support.google.com/chrome/answer/99020.

Think before saying OK

Your browser has warnings and security to protect you.  As seen on the menu above, sites may ask for control of your camera, microphone, and other parts of your computer.  You may also be asked to download harmful attachments.  Read all warnings carefully and proceed with caution or you may place yourself and your data (and identity) at risk.

If you have any question at all, you should not proceed, or should contact the Help Desk (x7440, help@brynmawr.edu) for further assistance.

Private Browsing

Most browsers have a “private” browsing mode, like Chrome’s Incognito windows.  This is designed both to keep your computer clean of traces from your browsing, and if necessary to give you a “safe mode” — a way to access a page free of extensions and caching issues.  Using private browsing affects what is stored on your local computer.  It does not affect what is transmitted to or stored on remote servers which you may access via Web sites.  It is not perfectly failsafe to use private browsing in place of other security.

Learn more at https://support.google.com/chrome/answer/95464.

Resources

https://support.google.com/chrome/answer/95617

https://support.google.com/chrome/answer/6098869

https://www.google.com/chrome/browser/features.html#security

https://support.google.com/chrome/answer/1342714

https://support.google.com/chrome/answer/99020

https://www.google.com/transparencyreport/safebrowsing/

https://support.google.com/chrome/

https://support.google.com/chrome/answer/95464

https://support.microsoft.com/en-us/help/17430/windows-internet-explorer-certificate-errors-faq

https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure

 

Filed under: Announcements Tags: by Amy Pearlman

Comments are closed.