Menu
picture of tbs certificates
picture of tbs certificates
:
Certificates
Our products range
Partners
Support
Focus


20161107 - Chrome increases its security requirements

Those last few months Google has made several announcements regarding the new security standards that will have to be applied to be accepted by its browser Chrome.

1 - The forms

Google goes straight to the point and reaffirms its will to protect web users data. How? By displaying a security alert on all pages containing a form that would not be secured with HTTPS, meaning a page that won't encipher data sent to the server.

Today Chrome (since the version 53), displays a 'circle-i' in the address bar indicating that the page is not SSL-secured.

It was a first step in order to ease the transition seeing that as of January 2017 not secured forms will be considered as dangerous.

A later version of the browser (not announced yet) will no longer display a 'circle-i' but a red triangle accompanied by an alert for each page presented in HTTP, not only the forms.

2 - Certificate Transparency

Widely used by Chrome since February 2015, especially for Extended Validation certificates, the Certificate Transparency should be required for any kind of certificates in 2017.

Reminder: The Certificate Transparency requires the publication of the information of any SSL certificate in public data bases before issuance. This publication has to be done by the certification Authority automatically.

A certificate not present in one of those data base will be considered as dangerous by Chrome from October 2017.

Most of certification Authorities declare all the certificates they issue in the CT, the others are automatically indexed by Google. It is most likely that your certificate is already registered in th CT.

How to make sure my certificate is declared in Certificate Transparency?

The easier way to do so is to use Sectigo Search engine: https://crt.sh, to enter the name of your site and see if it is registered. https://crt.sh, to enter the name of your site and see if it is registered.

3 - Geolocation and other API apps

Since the version 50 of Chrome, the geolocation API apps requires a HTTPS secured origin in order to keep working.

Why?

Once again, Google is concerned by web users privacy especially by their geolocation which is a particularly sensitive information.

Conclusion

All those measures are only a beginning as Google has announced similar updates for other API apps.

It then becomes vital, in order to keep existing on a browser such as Chrome (which detains more than 50% of market share) to migrate all your web tools to HTTPS. We recommaand to apply Always-on-SSL principes like HSTS for example.

How to make sure your websites are ready?

Use Canary, the tool for developers supplied by Google:

https://www.google.fr/chrome/browser/canary.html

Go to chrome://flags/#mark-non-secure-as and set to verbose

Go to chrome://flags/#security-chip and set to show non-secure only

you can now test your sites.

Useful information