According to the Google Security Blog, Chrome version 56, expected to be released around January 31, 2017, will warn users of HTTP pages that collect passwords or credit cards.
On the blog, Emily Schechter of the Chrome Security Team explained:
“Studies show that users do not perceive the lack of a ‘secure’ icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as ‘not secure,’ given their particularly sensitive nature.
In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
While the vast majority of e-commerce sites use HTTPS for credit card entry, millions of people who use WordPress without TLS will notice this change as soon as they attempt to login using Chrome 56. While there is no need to panic (“not secure” is an indicator only), all website owners should begin the migration to HTTPS.
Google’s phased implementation makes sense, and hopefully Microsoft and Apple will follow suit. Chrome users who wish to preview a more secure future, or test their sites, can navigate to chrome://flags, note the warning at the top of the page, scroll down to “Mark non-secure origins as non-secure” and select “Always mark HTTP as actively dangerous.” Hopefully in the future, the “Not Secure” indicator for HTTP will be accompanied by the same warning page currently presented for HTTPS sites with certificates that can not be validated.
Also earlier this month, the FTC filed suit against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that “inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.”
This action by the FTC has been widely reported, but many writers have missed an important nuance. The FTC did not take action against D-Link simply due to security issues in their products. The core of the complaint is that D-Link promoted the products as “easy to secure” and having “advanced network security,” but according to the FTC, “in numerous instances, Defendants have failed to take reasonable steps to secure the software for their routers and IP cameras, which Defendants offered to consumers, respectively, for the purpose of protecting their local networks and accessing sensitive personal information.”
The partially redacted court documents allege three security issues: Failing to take reasonable software testing and remediation measures to protect routers and IP cameras against well known and easily preventable software security flaws; failing to take reasonable steps to maintain the confidentiality of their private code signing key; and, storing users’ mobile application login credentials in clear text on the mobile device.
According to the FTC, the D-Link was “engaging in unfair or deceptive acts or practices” contrary to US law. In their public response, D-Link characterized the FTC’s allegations as “vague and unsubstantiated,” and indicated the company “will vigorously defend itself against the unwarranted and baseless charges.” They also argue that “the complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed ‘at risk’ to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries.”
Regardless of the outcome, the FTC’s action serves to put product developers on notice that misleading security claims may result in prosecution. Many consumer networking and IoT products exhibit poor security characteristics. Product vendors take note: Farewell to the era of tolerating security negligence.
Have a security question you’d like answered in a future column? Please email me.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…