Google released version 42 of the Chrome web browser. With this release and future releases of Chrome, you may notice visual indicators (e.g., yellow triangle, red slash) in the HTTP secure address bar.
The symbols indicate that a website is using SHA-1 Secure Sockets Layer (SSL) certificates to ensure the security and privacy of visitors. SHA—or Secure Hash Algorithm—is an essential component of cybersecurity.
SHA-1 is being deprecated over the next two years in favor of SHA-2. To raise awareness of this change, web browsers, such as Google Chrome, are alerting visitors when they visit a site that uses SHA-1.
SHA-1 certificates that expire in 2015 show a "normal" green lock, SHA-1 certificates that expire in 2016 show a yellow triangle, and SHA-1 certificates that expire in 2017 show a red, crossed-out https.
Some SHA-1 SSL certificates will be valid until the end of 2016; therefore University Technology recommends that members of the Case Western Reserve University community learn how to verify that their connection to a website is secure. Seeing a yellow triangle or a red slash in the address bar is not a true indication that the website is insecure; the website just may be using an SHA-1 certificate.
At this time, Chrome is the only web browser to use visual indicators in the HTTP secure address bar to indicate that a website is using an SHA-1 certificate. Other browsers, such as Mozilla Firefox, may start using visual indicators as well.
How to identify an insecure website with Chrome
If you visit a university website in Chrome and notice a yellow triangle or a red slash, click the “lock” icon followed by the “Connection” tab.
Note that next to the middle “green lock” icon, the text reads that your connection is encrypted, but it is using obsolete technology. This means that the certificate is valid and that it is still safe to continue navigating the website.
With Chrome, if the certificate is invalid or communications cannot be encrypted for some other reason, your connection to the site is blocked. This is the best indication that a website is not secure.
Website Administrator Guidance
Many university websites are already using SHA-2 certificates. UTech is actively working to transition the remaining websites to SHA-2. Independent website administrators are encouraged to secure SHA-2 certification for their website as soon as possible.