Deutsch
English
Google is peeved. And every time Google is enraged, Chrome, the market leader among browsers, is readied for battle. This time, it's about certificates, a cornerstone of the Internet and data security. With the upcoming versions 66 (scheduled for April) and 70 (October), Google seeks to make the web more secure - and tries to settle a few scores in the process. Read on to learn why many sites will soon be flagged as "insecure" and disappear from the top search results!
Google wants to make the web a safer place, maybe out of self-interest to some degree (i.e. product maintenance) but also because there's a real need for better security. Since the Internet is international and decentralized, there is no single regulatory body. That's why, every now and then, companies team up with states to effect change, or IT giants (here: Google) use their dominance to push things through on their own initiative. First, sites without HTTPS encryption will come under fire. HTTPS encryption is essential to exchange data securely.
Without encryption, anything sent through the Internet is readable as plain text by anyone with network access - a perfect opportunity for man-in-the-middle attacks. HTTPS allows web servers and clients to establish an encrypted connection that is hard to crack while giving users the certainty that the sites they visit are authentic. This is indicated by a padlock symbol next to the URL in the address bar. Clicking the lock reveals additional details about the certificate and its owner.
In the past, HTTPS certificates were like status symbols and only used by large online stores, banks and government institutions while the rest could only pray and hope for the best. Certificates were expensive and difficult to set up which is why smaller sites either shunned the effort or simply couldn't afford it. Over the past few years, HTTPS certificates have dropped in price and campaigns like "Let's Encrypt" even gave them out for free now. Does that mean all is well?
Not quite, since at least 30% of sites either can't or won't participate. Some web hosters only accept expensive certificates issued by commercial providers - maybe because they don't want to fall out of favor with them. In other cases, site providers simply have no motivation to use HTTPS, and I can understand that as long as those sites are run by private individuals. Anyway, Google has now begun to tighten the reins. Sites that do not use HTTPS will soon be marked "Not secure" in Chrome which may scare off a few users. Firefox will join in the effort starting with version 60 and other browser developers will likely follow suit. And as if that wasn't enough, affected sites will also be downranked in Google's search results and we all know that no-one ever looks past page 1 of those results!
In this light, the clash between Google and Symantec feels almost personal. It can be objectively said that Symantec has engaged in some shady practices when issuing certificates in the past. Back in 2015 when three certificates were made out in Google's name (without their knowledge), Symantec already received a sharp rebuke. In 2017, Google then accused Symantec of having incorrectly issued over 30,000 certificates without proper verification of future holders. Others received certificates for domains they didn't own. Imagine what criminals could do with a certificate issued in the name of a bank or a big online store!
Again, the loss of trust will carry severe consequences. As of April 17, Chrome will display a warning for certificates created by Symantec before June 2016 and notify users that their connections are insecure and prone to interception. If this happened to an online store, it would be a disaster. In October, these warnings will be further escalated even though there will be no blocking (yet). It's reasonable to assume that search rankings will also be adjusted accordingly resulting in further downranking. So far, many big names Including Tesla are directly or indirectly affected.
As always on the Internet, reactions are mixed. One side praises Google for their security work and accuses Symantec of bringing the "holy grail" of online certificates into disrepute (Whom can you trust once HTTPS is no longer secure?) while others see Google overstep their boundaries. They argue that Google is trying to distract from their own problems like various data security issues in their products. And anyway, who made Google town sheriff? Yes, they have considerable market power but does this give them the right to put millions of web sites at a disadvantage and to harm a company like Symantec with over 11,000 employees? Does the end justify the means in this case?
What do you think?
It is about profit and loss in the disguise of security. Understand we do need it, but it needs to adopted world wide with the collaboration of many to get the real outcome..... Not because of market power or i am the biggest player in town attitude...
First of all; thank you for the explanation - very public spirited. Second; Google are doing the right thing for me and other naive internet users. No doubt you will have all sorts of smart arses describing how they duck and weave to avoid being nailed by the bad guys. Sad. Any regulation is censorship and is going to have the effect of limiting research because information sources can't be bothered to get certification. Bring it on - certification is a badge of authenticity.
Sven - I have a question. I run a simple website for a photography club that I belong to. The site is hosted by one of the many specialist companies who provide online software to make it easy to create your site.
Will this decision by Google mean that anyone searching for my site by typing the name of the club into a Google search won't find our website on the first results page?
No need for concern, your site can still be found. If there are many sites that use similar names or search terms, sites without proper HTTPS certificates may show up behind the others. Your site will still remain visible, though.
Google is concerned about security? I can't stop laughing since Google Sites are not HTTPS. Google gives anyone using Google sites with a domain name an HTTP rather than HTTPS. They've been doing it for a long time Sven.
I've never believed the numbers these fat cat corporations toss around. None of their stats can be proven. it's all smoke and mirrors Sven when Google says a billion videos are uploaded without mentioning how many billions Google deletes each month. Their search results are limited to those with the most money to pay for the listing.
One becomes sick and tired of organisations, Google included, politicians and leaders of many countries who continue to bicker with written and verbal confrontations, chest-beating in their own inimitable, immature styles and 'dummy-spitting' worse than kindergarten children arguing over the colours in a bag of sweets.
We lived quite well without the Internet, the good for which it was created has been turned into a slimy bog by miscreants, criminals and self-important dictators, aka Google et al.
A good writeup, Sven.
I suppose there will be Symantec resellers scrambling around while dealing with alarmed customers.
I avoid Google as much as I can. I never use their search engine. I use Qwant, Startpage (I know, Google results but without the stalking) or Duck Duck Go. I do not use Chrome, but I do use Chromium.
Anyone can buy a certificate, even criminals, so there's still no guarantee that just be cause a site uses SSL it is a legitimate site. I'm pretty sure criminals will be well established with fake credentials to bypass any verification.
I have a few sites, and none of them use SSL because I do not send or receive any form data. Maybe SSL is being used generally rather than for stores that handle payments or sites that post user data to a database and get it back.
Anyway, after using a site with SSL, you get an e-mail confirmation in plain text. Well, that's like securing half of the information. Maybe all e-mail clients should be bundled with PGP or something similar so e-mails will be encrypted end-to-end.
Well, that might be interesting. In my work I extensively use the eur.lex.europa.eu site that is a repository of all the EU legislation, an official EC site. Often I get to the legal acts of interest by "googling them up". And guess what - it is not a HTTPS connection :) Will Google block it or downgrade it in their search results or will they start making exceptions not to kick potentially big opponents where it hurts just in case they kick back stronger?
And by the way, I look beyond the first page of search results, sometimes ten or more pages :)
That’s truly an interesting question! For example, the German Federal Ministry of Finance also uses an old Symantec certificate. Are big players being spared? Fascinating!
Google is too big for their boots
Cannot someone 'crack' Google and Symantec heads together. Form a single united body to control the issue of certificates. Surely the security of the internet is more important than either individual body. If peoples' identities are compromised due to insecure https sites they will no longer conduct financial transactions online and that could hurt or even destroy both Google and Symantec