Google’s New Scary Security Warning

Google’s New Scary Security Warning

YIKES! Today I went to a website using my Google Chrome browser and found this scary skull and crossbones icon next to the red, crossed out https in front of my URL:

My initial reaction was to shut down the web page immediately and never return as this appears to be a clear security warning. A site that isn’t using https, as indicated by the cross-out, shows that the URL is not secure or encrypted. However, after reading a bit further into the issue, I was glad to be able to hit Ctrl + Shift + T (a nifty little trick) to bring back the last webpage I had ex-ed out and investigate further.

I found a discussion on the Google help forum that explained when you see this alert, it means you’re browsing with an invalid SSL certificate. That means the data you send and receive is being encrypted, but Chrome can’t be sure the other party is who they say they are. The forum also instructed people experiencing this issue to click on the skull and crossbones to bring up a Security Information box, which will tell you why Chrome thinks the site is not completely safe.

There are three elements in the Security Information box, detailing information about your identity, connection, and visit history. If the identity is a green check mark (like I luckily had), it means that you’re on the correct website, but if it’s orange or red, you should leave the site as it is not, or never has been, verified anymore by a trusted source. If the connection section shows up orange (like mine below), it will give you a description as to why – usually because some part of the page hasn’t been encrypted (a picture, ad, or piece of unimportant text). The history section merely tells you if you have already visited this web site before and if the overall security or web site has changed.

All very helpful information, but, I’m not entirely satisfied since my Gmail account showed another kind of red x while my Google calendar showed a nice green glow. Shouldn’t all Google sites, Gmail included, be verified and completely secure for Google’s own security alerts?! So, what’s actually going on here?

The “best answer” on the Google forum from a Google employee stated that, “We’re experimenting with a new warning icon on the dev channel builds. The skull and crossbones icon means that some of the resources on the current page weren’t loaded securely (using SSL). This is known to the nerds among us as a ‘mixed content warning.’ The old indicator for ‘mixed content’ was less prominent, so even though the site you’re seeing this on probably hasn’t changed, the warning is now getting more attention.”

While the skull and crossbones may be a bit extreme, Google’s intentions are probably good, especially as one of the biggest problems with computer security these days is that these warnings pop-up all the time, but users have been trained to ignore them. However, I’m not sure the attention the new icon is getting is actually helping since people still have complete access to these insecure sites and the warning doesn’t prevent use of the page. The warnings should also probably tell users what specific parts of the webpage are not secure.

What do you think? Have you seen this angry pirate-esque warning pop-up on sites you frequent? Has it deterred you from staying on them or visiting again?

Microsoft Security Intelligence Report

Microsoft Security Intelligence Report

Microsoft’s latest Security Intelligence Report came out today detailing the changing threat landscape, among other analyses of malware, software vulnerability, privacy, and the like.  For those who may not want to read the entire 184 page report cover to cover, Larry Dignan, Editor in Chief of ZDnet, gives a summary of the top five points to take away from the report.

One interesting aspect from the report was the following graph depicting the malware infection rates by region. Gizmodo notes that Myanmar and Ethiopia run a pretty tight ship, as noted by their favorable green coloring.  And while the U.S. may not be as bad as Russia or Brazil, Larry Dignan notes that Malware is still dominant in the U.S. and accounts for 67% of all infected computers.

Another interesting fact from the report is that Microsoft’s cyber security team concluded that spam is up to 97% of all emails.  This is 3% higher than Google’s reportings from Postini in their Spam Data and Trends: Q1 2009 report, which I referenced in my post from March 31st.

With all of the increasing fears around malware and viruses, it’s no wonder that fake security software is gaining ground.  Microsoft reports that simply by double clicking the icon, the rogue software is launched.  It then claims to have detected a bunch of non-existant infections on your computer, which you then must protect by paying for their services.  And voila, the rogue anti-virus software has infiltrated your system just like that – something my coworker, Lillian, discovered all too well just weeks ago when something similar happened on her computer – better luck next time Lil’.