Identify Insecure Websites Following Google Chrome Update

Google released version 42 of the Chrome web browser. With this release and future releases of Chrome, you may notice visual indicators (e.g., yellow triangle, red slash) in the HTTP secure address bar.‌

‌The symbols indicate that a website is using SHA-1 Secure Sockets Layer (SSL) certificates to ensure the security and privacy of visitors. SHA—or Secure Hash Algorithm—is an essential component of cybersecurity.

SHA-1 is being deprecated over the next two years in favor of SHA-2. To raise awareness of this change, web browsers, such as Google Chrome, are alerting visitors when they visit a site that uses SHA-1.

three we address bars stacked. the top has a lock symbol with a red x and HTTPS:// with a red line through it. The middle has a lock symbol with a gold triangle and HTTPS://. The bottom has a lock icon and HTTPS:// in green

SHA-1 certificates that expire in 2015 show a "normal" green lock, SHA-1 certificates that expire in 2016 show a yellow triangle, and SHA-1 certificates that expire in 2017 show a red, crossed-out https.‌

Some SHA-1 SSL certificates will be valid until the end of 2016; therefore University Technology recommends that members of the Case Western Reserve University community learn how to verify that their connection to a website is secure. Seeing a yellow triangle or a red slash in the address bar is not a true indication that the website is insecure; the website just may be using an SHA-1 certificate.

At this time, Chrome is the only web browser to use visual indicators in the HTTP secure address bar to indicate that a website is using an SHA-1 certificate. Other browsers, such as Mozilla Firefox, may start using visual indicators as well.

How to identify an insecure website with Chrome

If you visit a university website in Chrome and notice a yellow triangle or a red slash, click the “lock” icon followed by the “Connection” tab.

Note that next to the middle “green lock” icon, the text reads that your connection is encrypted, but it is using obsolete technology. This means that the certificate is valid and that it is still safe to continue navigating the website.

Site with a red slash through the lock icon and URL
site with the gold triangle through the lock and url

With Chrome, if the certificate is invalid or communications cannot be encrypted for some other reason, your connection to the site is blocked. This is the best indication that a website is not secure.

Screen shot of a red lock icon and text that says "Your Connection is Not Private"

 

Website Administrator Guidance

Many university websites are already using SHA-2 certificates. UTech is actively working to transition the remaining websites to SHA-2. Independent website administrators are encouraged to secure SHA-2 certification for their website as soon as possible.

For assistance with any technology product or service at Case Western Reserve, such as information security, visit help.case or contact the UTech Service Desk at 216.368.HELP (4357) or help@case.edu.