Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

SHA-what? A new warning in Chrome shames outdated security

Glenn Fleishman | June 2, 2015
Chrome users recently started seeing a warning or an error about outdated encryption used by websites for secure connections.

thinkstock dunce cap shame shaming

As websites lag in taking action on fundamental, known security problems, Google and Mozilla have started to take matters into their own hands to alert users about server or infrastructure flaws. The latest iteration is Google rolling out a warning and an error in a recent version of Chrome that waggles its finger at outdated encryption methods used for securing sessions. Mozilla will follow no later than January, though maybe earlier. Where are Apple and Microsoft hiding? More on them later.

Security is often a double-edged sword: one edge can be as dull as an old bread knife, while the other can slice you in two so neatly you never knew it happened. Most Internet connections remain in the client/server model, in which a client (a browser, email software, a photo app) contacts a central server or system which handles retrieving and storing data and other online interaction.

As a result, exploitation can happen on either end, because they are asymmetrical: the client and server typically don't run any of the same code, nor do they carry out precisely the same tasks. A hacker doesn't have to crack a server's code to be able to exploit a connection on any network over which the data flows. She or he just needs access to the client software to poke at and find weaknesses. And when there is a lot of different client software that can access a lot of different servers, there's more chance of breaking in--although the heterogeneity also means fewer people are affected with most hacks.

In peer-to-peer networking, a security failure can affect every user all at once, because the software tends to act as client and server dynamically or simultaneously. This is bad (everyone is exposed) but there's also a much higher motivation to fix things.

The clever part about browser makers examining and alerting users is that they take advantage of the asymmetry and variety to the benefit of users. A website will never let you know that it's using outdated security, but a browser can do so with impunity, so long as it's technically accurate. And a site isn't going to lock out Chrome users because Google's browser is tut-tutting.

Will the real certificate please stand up?

Chrome 42, pushed out as a stable desktop release in April, implements security warnings and errors that Google advised were on its timeline last September related to poor website security.

When a user visits a site that uses an outdated method of validating a digital certificate, and that certificate expires during 2016, Chrome will offer a warning, which will appear as a yellow yield sign on top of the lock in its location/search bar. If a certificate expires after 2016, the site will not load, the lock will have a red X overlaid, and the "https://" portion in the bar will be struck through in red. It's dramatic.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.