Google’s next Chrome version will further strengthen security, but it could spell trouble for thousands of websites. Google Chrome 70 will start to roll out on Oct. 16, and as a result, thousands of websites using old security certificates may stop working.
Which sites will be affected?
Once Google Chrome 70 is live, users visiting affected sites will see a security warning. Google is expected to drop trust for HTTPS security certificates issued by Symantec before June 2016. Last year, Google found that Symantec had improperly issued security certificates. It was also discovered that Symantec gave many organizations the authority to issue certificates despite being aware of security issues with those organizations. Google warned then that it would stop supporting sites with such certificates.
According to security researcher Scott Helme, more than 1,000 sites in the top 1 million websites based on Alexa rankings will be affected when Chrome 70 comes out. Some of the affected websites include many government sites from Tel Aviv and India and also Penn State Federal Credit Union. Websites such as Ferrari and Solidworks were also on Helme’s list, but they have since changed their certificates, so they should not face problems now.
A decade ago, no one talked about tail risk hedge funds, which were a minuscule niche of the market. However, today many large investors, including pension funds and other institutions, have mandates that require the inclusion of tail risk protection. In a recent interview with ValueWalk, Kris Sidial of tail risk fund Ambrus Group, a Read More
“It’s worth noting this list is not exhaustive but I do cover the whole of the Alexa top 1 million. It also won’t find things like subresources on a page using a legacy Symantec certificate that will break, this is just the cert for the site itself,” Helme said in a blog post.
Additionally, TechCrunch claims websites using old certificates issued by Thawte, VeriSign, Equifax, GeoTrust and RapidSSL will also be affected.
Why are HTTPS certificates important?
HTTPS certificates are used to encrypt data between the site you are accessing and your system. The encryption makes it impossible for anyone to snoop on your data. HTTPS certificates are also proof of the integrity of the site, which suggests a hacker has not edited the pages. HTTPS certificates are issued by a certificate authority which follows certain rules and procedures. Over time, web browsers start trusting such certificates, but if that trust is broken, browsers can end support, and that is what Chrome 70 is doing.
It must be noted that the use of old certificates won’t get sites blocked, at least for now. Users visiting such sites will see a security warning at first, but going forward, Google may decide to ban these sites, considering that it made Symantec aware of the issue last year. Google already started distrusting some certificates in Chrome 66.
There can be only two reasons sites are not moving to new certificates. They are either not aware of the security development, or they may be hoping to delay paying for new certificates as long as they can. Nevertheless, it can be expected that the affected sites will probably make the transition soon, considering that Chrome is the most-used browser.
Other changes with Chrome 70
In addition to dropping trust for certain websites, Chrome 70 will also end a controversial decision that came with Chrome 69. A feature in Chrome 69 automatically signs users into the web browser if they sign in to any Google service, such as Gmail or YouTube. After backlash from users, the search giant announced that it would disable the feature in Chrome 70.
Google’s security efforts also made headlines recently after Chrome 69 started hiding the “www” portion of a web address in the Chrome omnibox. Google reversed the change after backlash from users but said the change will be there again in Chrome 70.
“In Chrome M69, we rolled out a change to hide special-case subdomains ‘www’ and ‘m’ in the Chrome omnibox,” Google Chromium Product Manager Emily Schecter said. “After receiving community feedback about these changes, we have decided to roll back these changes in M69 on Chrome for Desktop and Android.”
There are reports Google will kill web addresses altogether. As of now, there is no information on what alternative Google would provide in place of web addresses. However, Google has said it is just an idea it is working on and part of its bigger effort to make the Internet safer.