New Site Security Indicators In Chrome

[Emily Schechter]

Link to post here.

Posted by the Chrome Security Enamel team

To help users make security decisions, Chrome indicates site security with an icon in the address bar.  Starting in Chrome 52 on Mac desktop, and in Chrome 53 on other platforms, the security icons are redesigned to make it easier for users to tell how secure their connection to a site is, and whether the site is dangerous or deceptive.

The new icons use a distinct combination of color and shape for each security state. The states are modeled after ISO iconography standards: the circle-i for information, and the triangle for caution. We’re sticking with the lock for secure HTTPS.

The distinctly shaped icons yield several improvements. They are more universally recognized, and more accessible — not all people associate green with safety or red with risk (or can see the difference between red and green!) They are also more scalable, as they remain legible for smaller screen sizes.

We plan to add the dangerous security state icon on malicious and deceptive sites that are flagged by Google Safe Browsing. These icon improvements are the first step in an overhaul of how Chrome communicates connection security state.

We conducted extensive user research to choose these indicators, and we’ve shared our results in a peer-reviewed scientific paper. If you’re a developer who needs to communicate connection security, we encourage you to use the same icons from Material Design to convey the same security states as Chrome, and to secure your site with HTTPS if you have not done so already.

[Emily Schechter]

D'oh... the link wasn't accessible. Here's a better one. 

[Eric Mill]

The link to the peer-reviewed scientific paper didn't work in the email version, but it was correct in the post version you linked to. The paper is here:

https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf

-- Eric

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

--

konklone.com | @konklone

[jessyc...@gmail.com]

If I purchase a low-assurance SSL cert, I get the "info" indicator. How high of assurance do I need to get the "Secure" with green text indicator? Is this only available via "Green Bar" SSL certs?

On Tuesday, July 26, 2016 at 12:00:28 PM UTC-7, Emily Schechter wrote:
> Link to post here.
>
>
>
> Posted by the Chrome Security Enamel team
>
> To help users make security decisions, Chrome indicates site security with an icon in the address bar.  Starting in Chrome 52 on Mac desktop, and in Chrome 53 on other platforms, the security icons are redesigned to make it easier for users to tell how secure their connection to a site is, and whether the site is dangerous or deceptive.
>
>
>

[Vincent Lynch]

Hi Jessy,

Any SSL certificate will allow you to get the "Secure" indicator with green text. You do not need to buy a specific kind of certificate.

If you are accessing your site over HTTPS and getting the "info" indicator, it is likely due to a configuration problem.

There is more than one cause of this. The most common is "mixed content," meaning that some content is still being loaded insecurely over HTTP. Chrome does not give the "Secure" indicator in this situation.

If you want to share your domain name I can tell you exactly what problem is causing this.

-Vincent

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.

--

Vincent Lynch

[Chris Palmer]

A regular domain-validated (DV) certificate is sufficient to get the Secure UX treatment. However, Chrome will downgrade from Secure to Info if the page loads any display content (images, et c.) via non-secure references. For example, a secure page with <img src="http://example.com/whatever.jpg"/> (note the "http") will cause the otherwise-secure page to get marked with Info instead of Secure.

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

[Jessyca Frederick]

Thanks so much for the helpful reply! I couldn't find information on this importance of assurance levels anywhere online (except at websites that sell SSLs and want more money for higher assurance levels)... hopefully this will help others with the same question.

We are indeed still serving mixed content (for a few more hours) and I'll check if it turns green after we push the https switch out to production. Thank you for offering assistance!

[PhistucK]

I think the Developer Tools Security panel would have hinted at the problem, by the way.

Another solution/workaround would be to use the upgrade-insecure-requests Content Security Policy directive (in case the servers do support HTTPS, but the href or src values themselves are HTTP leftovers).

☆PhistucK

[moa...@gmail.com]

Hello there,

I recently saw my URL bar and it looks a bit different. I am not sure if this is something I should be worried about. For example, after the lock there is a "Secure | https://reddit.com". I don't know where this "Secure |" popped up from. Was wondering if this is a new update on Chrome or if there is some malicious malware installed on my browser.

[Emily Schechter]

Yes, this is a Chrome update. Please see this support article for more info.

On Wed, Jan 4, 2017 at 1:48 AM, <moa...@gmail.com> wrote:

Hello there,

I recently saw my URL bar and it looks a bit different. I am not sure if this is something I should be worried about. For example, after the lock there is a "Secure | https://reddit.com". I don't know where this "Secure |" popped up from. Was wondering if this is a new update on Chrome or if there is some malicious malware installed on my browser.