YIKES! Today I went to a website using my Google Chrome browser and found this scary skull and crossbones icon next to the red, crossed out https in front of my URL:
My initial reaction was to shut down the web page immediately and never return as this appears to be a clear security warning. A site that isn’t using https, as indicated by the cross-out, shows that the URL is not secure or encrypted. However, after reading a bit further into the issue, I was glad to be able to hit Ctrl + Shift + T (a nifty little trick) to bring back the last webpage I had ex-ed out and investigate further.
I found a discussion on the Google help forum that explained when you see this alert, it means you’re browsing with an invalid SSL certificate. That means the data you send and receive is being encrypted, but Chrome can’t be sure the other party is who they say they are. The forum also instructed people experiencing this issue to click on the skull and crossbones to bring up a Security Information box, which will tell you why Chrome thinks the site is not completely safe.
There are three elements in the Security Information box, detailing information about your identity, connection, and visit history. If the identity is a green check mark (like I luckily had), it means that you’re on the correct website, but if it’s orange or red, you should leave the site as it is not, or never has been, verified anymore by a trusted source. If the connection section shows up orange (like mine below), it will give you a description as to why – usually because some part of the page hasn’t been encrypted (a picture, ad, or piece of unimportant text). The history section merely tells you if you have already visited this web site before and if the overall security or web site has changed.
All very helpful information, but, I’m not entirely satisfied since my Gmail account showed another kind of red x while my Google calendar showed a nice green glow. Shouldn’t all Google sites, Gmail included, be verified and completely secure for Google’s own security alerts?! So, what’s actually going on here?
The “best answer” on the Google forum from a Google employee stated that, “We’re experimenting with a new warning icon on the dev channel builds. The skull and crossbones icon means that some of the resources on the current page weren’t loaded securely (using SSL). This is known to the nerds among us as a ‘mixed content warning.’ The old indicator for ‘mixed content’ was less prominent, so even though the site you’re seeing this on probably hasn’t changed, the warning is now getting more attention.”
While the skull and crossbones may be a bit extreme, Google’s intentions are probably good, especially as one of the biggest problems with computer security these days is that these warnings pop-up all the time, but users have been trained to ignore them. However, I’m not sure the attention the new icon is getting is actually helping since people still have complete access to these insecure sites and the warning doesn’t prevent use of the page. The warnings should also probably tell users what specific parts of the webpage are not secure.
What do you think? Have you seen this angry pirate-esque warning pop-up on sites you frequent? Has it deterred you from staying on them or visiting again?