Chrome Untrusted Site Warning
Posted by Erin Bard on 21 April 2015 11:02 AM
Starting in mid-April 2015, Google Chrome will start flagging some previously secure websites as now being untrustworthy. This is reflected in the green lock icon in the URL bar changing to a red X with a line through the "https" part of the URL. This change is likely to happen suddenly, whenever your copy of Chrome updates to version 42.x.x.
Example of a properly secured site:
Example of an insecure site:
This change is happening because one of the main methods of encrypting websites is an old technology which will be retired in 2017, and Google Chrome is proactively marking sites using this old technology as insecure in an effort to encourage site owners to upgrade to the modern encryption technology.
For additional technical information, please read this section at the end of the article.
What you should do
If you browse to an HTTPS website and see the red X instead of the green lock, stop and check why the site is marked as insecure. You can do this by clicking on the lock icon (whether it is red, green, or yellow) and additional security information will be displayed. Notice in the screenshot below the highlighted sections and what they tell you about the nature of the problem:
If you see that message, it is ok to proceed. This warning is simply stating that the site is not as secure as it should be.
We also recommend that you contact the site owner and alert them to the error so that they can fix their site. The fix is very easy, they just need to get a new certificate signed with a SHA2 hash, instead of the current SHA1 hash. This can be done in as little as 10 minutes for small sites, and most certificate vendors have instructions for this fix on their websites.
However, if you see the error message below, then you should NOT proceed and should instead contact the Helpdesk if it is a Houghton.edu site or one that you need to access for college business:
This error indicates that someone may be trying to trick you into visiting a fake website. For additional information you can click on the lock icon in the URL bar and see why Chrome thinks there is a problem:
In this case it is because the server's certificate does not match the URL. At this point we recommend you leave the website, but if you wanted to find out why the certificate doesn't match the URL, you can also click on "Certificate information" to find out...
And from this screenshot we can see that the certificate is for "a.ssl.fastly.net" but the URL is "www.cnn.com", so they don't match. Normally this is an indication of bad things happening and you should stay away, but in this specific case it is because CNN's website is hosted by a 3rd-party and the site is not intended to be viewed over HTTPS connections, so the certificate was not purcahsed for the CNN domain name, so it is not actually an example of an attack.
Technically the issue is that the SHA1 hash function used to sign digital certificates is now no longer considered to be secure and is being replaced by the SHA2 hash function which is stronger.
For additional information on Google Chrome's handling of this change, please see this article: Google Online Security Blog
For more technical information on migrating from SHA1 to SHA2, please see this article: Qualys Security Labs Blog
For other questions about this change, please contact the Helpdesk at email@example.com.