<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:georss="http://www.georss.org/georss" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" > <channel> <title>Browser Indicators Archives - SSL.com</title> <atom:link href="https://www.ssl.com/tag/browser-indicators/feed/" rel="self" type="application/rss+xml" /> <link></link> <description>SSL/TLS Certificates, Code Signing Certificates, Document Signing, S/MIME, and Client Certificates in addition to IoT and Public and Private PKI</description> <lastBuildDate>Thu, 25 Feb 2021 20:27:28 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.5.5</generator> <image> <url>https://www.ssl.com/wp-content/uploads/2020/04/cropped-favicon-32x32.png</url> <title>Browser Indicators Archives - SSL.com</title> <link></link> <width>32</width> <height>32</height> </image> <site xmlns="com-wordpress:feed-additions:1">149092906</site> <item> <title>A look at browser UI security indicators</title> <link>https://www.ssl.com/article/a-look-at-browser-ui-security-indicators/</link> <dc:creator><![CDATA[Nick Naziridis]]></dc:creator> <pubDate>Fri, 12 Oct 2018 21:25:23 +0000</pubDate> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Browser Indicators]]></category> <category><![CDATA[HTTPS]]></category> <category><![CDATA[SSL validations]]></category> <category><![CDATA[The HTTPS-Only Standard]]></category> <category><![CDATA[UI]]></category> <guid isPermaLink="false">https://www.ssl.com/?post_type=projects&p=9888</guid> <description><![CDATA[<p>We look at security indicators in browser UI and give you the state of the field circa now.<br /> Changing security indicators might look like a simple UI decision at first glance, but it carries significant implications. Read on for a brief overview of the current status of UI security indicators, as well as upcoming changes and how they might affect Internet users.</p> <p>The post <a href="https://www.ssl.com/article/a-look-at-browser-ui-security-indicators/">A look at browser UI security indicators</a> appeared first on <a href="https://www.ssl.com">SSL.com</a>.</p> ]]></description> <content:encoded><![CDATA[ <p><a href="https://www.ssl.com/wp-content/uploads/2018/10/UI_indicators_01_20180112.jpg"><img fetchpriority="high" decoding="async" class="aligncenter size-full wp-image-9893" src="https://www.ssl.com/wp-content/uploads/2018/10/UI_indicators_01_20180112.jpg" alt="" width="576" height="242" /></a></p> <h2>HTTP and HTTPS</h2> <p><a href="https://en.wikipedia.org/wiki/HTTPS" target="_blank" rel="noopener noreferrer">HTTPS</a> is a network protocol browsers use to securely communicate with web servers. HTTPS is a secure alternative to a much older protocol, called Hyper Text Transfer Protocol, or HTTP. HTTPS can protect users, because it requires encryption of that all exchanged web (or HTTP) data are via a cryptographic protocol, called <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security" target="_blank" rel="noopener noreferrer">TLS</a> (HTTPS is literally *HTTP* over *TLS*).</p> <p>Encrypting web data with a secret key (like TLS does) improves user security by preventing attackers from reading or altering the original content in transit. Such network attacks are known as <a href="https://www.ssl.com/faqs/what-is-a-man-in-the-middle-attack/" target="_blank" rel="noopener noreferrer">man-in-the-middle (MITM) attacks</a>. Researchers have repeatedly demonstrated that MITM attackers can, in essence, read or modify any HTTP traffic, without the user knowing about it.</p> <p>The added security makes HTTPS ideal for web applications handling sensitive data, and most servers (e.g. banking or e-mail servers) have already been upgraded. Unfortunately not all web servers support it, due to various operational restrictions, such as increased bandwidth, legacy issues and so on. Since there is potential danger, concerned users need to know whether they are browsing over an insecure connection.</p> <div class="su-divider su-divider-style-default" style="margin:15px 0;border-width:3px;border-color:#999999"></div> <h2>Enter security indicators</h2> <p>Browsers inform users about the security status of a web connection, in the form of graphics shown in the address bar (e.g. the lock icon before the URL of this article). These <strong>security indicators</strong> can be either <em>negative</em> and warn users that they are in potential danger, or <em>positive</em>, to reassure them their connection is secure.</p> <p>Security indicators are used to communicate two aspects of a web connection; <strong>connection security</strong> and the <strong>authenticity</strong> of the remote web server.</p> <h3>Connection security through encryption</h3> <p>Indicators inform about connection security by distinguishing among <strong>encrypted</strong>, <strong>unencrypted</strong> and <strong>mixed content</strong> connections. Encrypted and unencrypted sites protect either all or no content. Mixed content means some components of otherwise-encrypted web sites are being retrieved through unencrypted channels.</p> <p>Components which can modify the content of the page (such as scripts or vectors) are called <strong>active content</strong>. Components with fixed identities (like static images or fonts) are called <strong>passive content</strong>.</p> <p>Although a fully encrypted web connection sounds secure, this alone does not mean that a web site is safe to browse.</p> <h3>Server authentication and digital certificates</h3> <p>Attackers can (and do) copy the content of a web site and redirect network traffic to their own malicious server, even over encrypted connections. Their server would only have to present a different, known TLS key instead of the original secret. Having no reason to doubt the legitimacy of the connection, unsuspecting users could then be persuaded to log in or disclose any other sensitive information.</p> <p>In response, browsers authenticate servers by correlating the credentials of legitimate web server owners with the unique encryption key each server presents. That way, browsers delegate this credential verification to third-party entities, called <strong>Certificate Authorities</strong> (<strong>CAs</strong>). Major browsers maintain root programs to manage their own trust of CAs, which must adhere to strict standards and audit requirements to be trusted by the browser.</p> <p>A web server owner requesting a certificate from a trusted CA, such as SSL.com, must present a valid public key and prove that they control the domain name and the server it points to. If these checks are successful, the CA issues a digital certificate to the owner, who uses it to both encrypt and authenticate connections to their site.</p> <p>Certificates are digital identities, containing information about the person or organization that owns a server. CAs cryptographically sign each certificate with a digital signature, an integrity mechanism analogous to wax seals – attackers cannot duplicate the signature, and they would have to invalidate it before modifying the content. HTTPS requires a web server to greet a browser connection with that server’s valid certificate. The browsers then checks the certificate – if it was signed by a trusted CA, the connection may proceed. (If a server presents a different, revoked or otherwise invalid certificate, the browser terminates or disallows the connection and warns the user, using error messages which we will examine in detail in a future article).</p> <h4>Validation levels</h4> <p>It should be noted that not all certificates offer the same level of security, and security indicators may distinguish between the different certificate types issued for different levels of validation.</p> <p>CAs issue <strong>Domain Validated</strong> (<strong>DV</strong>) certificates to customers that have demonstrated control over a DNS domain. <strong>Organization Validated</strong> (<strong>OV</strong>) certificates are vetted to authenticate an organization is a legal entity, as well as domain control. Finally, <strong>Extended Validated</strong> (<strong>EV</strong>) certificates – which can display company information in the browser bar itself – are reserved for customers that have passed multiple independent verification checks (including human-to-human contact, reference to qualified databases and followup reviews) as well as the OV- and DV-level steps.</p> <div class="su-divider su-divider-style-default" style="margin:15px 0;border-width:3px;border-color:#999999"></div> <h2>Current status of indicators</h2> <p>In the early days of the internet, HTTP was the norm and HTTPS was introduced as an option for the very most security minded. As a result, most browsers only used <em>positive</em> indicators, i.e. a lock showing an HTTPS connection, and (optionally) whether that connection uses an EV certificate. Today, to promote security consciousness more broadly, Chrome, along with Firefox and Safari, have also started adopting the use of <em>negative</em> indicators, warning users of pages with unencrypted or mixed active content pages. The following table is a summary for the general state of security indicators in browsers. Starting with HTTP (which is not secure at all) each item further along the list is more secure than the previous ones.</p> <p><a href="https://www.ssl.com/wp-content/uploads/2018/10/Browser-UI-Indicators-November-2018-5.png"><img decoding="async" class="size-full wp-image-9970 aligncenter" src="https://www.ssl.com/wp-content/uploads/2018/10/Browser-UI-Indicators-November-2018-5.png" alt="" width="1260" height="476" /></a></p> <p> </p> <p style="text-align: center;">(Click on image to enlarge)</p> <div class="su-divider su-divider-style-default" style="margin:15px 0;border-width:3px;border-color:#999999"></div> <h2>Upcoming changes and plans for the future</h2> <p>Chrome’s Usable Security team has released a <a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure" target="_blank" rel="noopener noreferrer">proposal </a>for changing this browser behavior. They suggest that all browsers should start to actively warn users against unsafe HTTP (or mixed content HTTPS) web sites, with negative indicators, while they try to remove positive security indicators from HTTPS web sites altogether.</p> <p>They base their decision on research that was <a href="http://www.usablesecurity.org/emperor/emperor.pdf" target="_blank" rel="noopener noreferrer">published in 2007</a>, stating that positive security indicators are ignored by users, as opposed to negative indicators which are perceived as more serious. Chrome has also argued in their original proposal, that “users should expect that the web is safe by default, and they’ll be warned when there’s an issue”.</p> <p>Subscribed to this idea, starting September of 2018, newer Chrome versions (69+) display a “Not secure” negative indicator on all HTTP web sites, and will not show the “Secure” positive indicator for HTTPS.</p> <p>Mozilla’s Firefox (since version 58+) is one of the two other browsers that have adopted negative security indicators, but only for sites with mixed active content. Furthermore, in an <a href="https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/" target="_blank" rel="noopener noreferrer">official blog post</a>, they have announced their future plans for UI security indicators in Firefox: “Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear they are not secure”.</p> <p>Apple’s Safari (tech release 46+) is the remaining browser that uses negative indicators for web sites with mixed active content, although they have not made any public statements regarding their plans for security indicators in the future.</p> <p>Microsoft’s Edge and Opera browsers have not spoken publicly on their plans about UI security indicators.</p> <div class="su-divider su-divider-style-default" style="margin:15px 0;border-width:3px;border-color:#999999"></div> <h2>Conclusion</h2> <p>Being safe on the Internet <em>should</em> be the default, and active browser warnings against insecure HTTP connections could provide great motivation for some legacy web server owners to pay attention to the security of their sites and their visitors. Moreover, removing the “Secure” indicator from HTTPS web sites is (arguably) a step towards making HTTPS the expected norm. As far as entirely removing positive indicators, some indicators, such as EV indicators, can still provide important assurance to vistors in some circumstances. Whatever the future may be, as global HTTPS usage increases there are bound to be some interesting changes and challenges – so keep checking back with us for future information on these and other security topics.</p> <p>As always, thanks for reading these words from SSL.com, where we believe a <strong>safer</strong> Internet is a <strong>better</strong> Internet.</p> <p>The post <a href="https://www.ssl.com/article/a-look-at-browser-ui-security-indicators/">A look at browser UI security indicators</a> appeared first on <a href="https://www.ssl.com">SSL.com</a>.</p> ]]></content:encoded> <post-id xmlns="com-wordpress:feed-additions:1">10067</post-id> </item> </channel> </rss>