Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Forget That Padlock

Security pros have long known that the padlock icon, indicating the use of SSL/TLS, is of declining value and may, in fact, be misleading some users into a false sense of security - which is why Google has decided to remove it from Chrome, starting with Chrome 117, in September 2023.

First: declining value. There was a time when many sites did not support SSL, rendering traffic vulnerable to the sniffing of sensitive data. Can you believe that some people even used to enter credit card details into those sessions? Even in 2013, only 14% of the Alexa Top 1M sites supported SSL. But that situation has changed enormously; the availability of free X.509 certificates from Let's Encrypt and others has eliminated the cost of entry, so that today over 95% of page loads in Chrome for Windows are over SSL/TLS sessions. Network sniffing is no longer a threat on the vast majority of sites.

Secondly, the majority of phishing sites also use TLS, so that the presence of the padlock icon is far from a reliable indicator that a site is authentic or trustworthy. And even if the connection to a site is encrypted, that doesn't mean that user or customer information can't be compromised in lots of other ways, including ransomware, loss of data from insecure cloud storage buckets and all the others. So the presence of the lock doesn't mean a site is safe to use.

In fact, Google's 2021 research showed that only 11% of study participants correctly understood the precise meaning of the lock icon. Hence the decision to replace the lock icon with a more neutral derivative of the 'tune' icon, which will still lead to a dialog showing site-related information and controls. The change will apply to both desktop and Android versions of Chrome, while on iOS, where the icon is not tappable, the lock button will simply be removed completely.

However, on all platforms, plain HTTP connections will still be marked as insecure.

Adrian, David, et. al., An Update on the Lock Icon, Chromium Blog, 2 May 2023. Available online at https://blog.chromium.org/2023/05/an-update-on-lock-icon.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.