You may have received an error or warning in your web browser about a site you visit not being secure. This can happen for many reasons. Usually, the fault lies with the web server because the server administrator has not been keeping up with the latest security best practices or has made a mistake in implementing a security measure. Nevertheless, in a surprising number of cases, the cause can be a non-server issue, such as your machine's clock being off by more than several minutes, or from your using a free public WiFi service that has a captive login portal.
Google is working to make its browsers recognize and adjust for some common issues so the browsers can either allow for them, or give error messages specific to the likely causes.
For example, if the web server fails to provide a complete certificate chain, the browser warns simply that the site is insecure. Google is now working on methods to see if they can provide the missing information in the certificate chain; and if so, allow the connection without any warnings. Similarly, Google is working to check the time on your machine in the case of a certificate validation error, and display a specific message about your clock being off. Google is also working to make its browsers determine if a captive WiFi portal might be causing a security issue; and if so, suggest how you might check for that.
As part of Google's plan to move everything off HTTP to HTTPS, Chrome will soon start to mark any non-encrypted HTTP pages that ask for information as not secure. Eventually, they plan to show any HTTP pages as insecure, whether or not the information is requested.
If you run a web server, now is the time to make sure it not only provides secure services, but forces users to use a secure connection. If you use a web client, you should anticipate seeing more and more warnings about insecure sites and prepare for how you're going to deal with those messages.
Some users have falsely believed that using "incognito" mode or similar privacy guards in the browser will protect them from data theft on insecure sites, but this is not true. If the site and your browser pass any information without HTTPS, that data in vulnerable1, even when incognito mode is enabled. You should make sure you always use secure connections whenever possible.
1 You can mitigate the security risk of using HTTP instead of HTTPS by using a VPN or other security measure on your machine. However, please note that the UT VPN solution does not protect your data unless you are connecting to a UT-owned resource! So using the UT VPN will not protect you when visiting any site outside of UT.
Written by Eric Rostetter, Senior System Administrator
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.