I probably missed a Google blog, but when I was checking the details of a TLS certificate with Chrome, I received this view.
Cool! The details in the middle show the secure origins of information. The details on the right provide a security overview. The green symbol with the lock shows that the site is secure. The other symbols indicate “Not Secure” and “Insecure (Broken).”
I know I’m going to be asked this question, “how do I get the details?” When you are using Chrome, just right-click on the symbol to the left of the website address. A drop down menu will appear with a “Details” link.
Let’s do some testing. How about Insecure? When we try expired from bad SSL, we get the red symbol with the lock. The information tells us that there are issues with the certificate chain and an invalid date (i.e., expired). Trying other sites at badssl showed invalid common name for wrong host and certification authority invalid for a self-signed certificate.
Let’s try for insecure; maybe a SHA-1 certificate expiring in 2016 will do. Tada! The blank page symbol is shown. The details indicate that a SHA-1 hash was used on the certificate which expires in 2016. Testing a site with mixed content (i.e., both HTTPS and HTTP content) also shows the blank page.
Users need to be wary when using an insecure page. Some will probably be okay in the short term, but others might be more susceptible to an attack. These site owners are trying to deploy TLS, but are just not using the best practices to mitigate vulnerabilities.
But what about HTTP? No security. The website administrator is not even trying. What would the symbol be? Would it be even worse than Insecure? Let’s see.
Oops! HTTP shows the blank page symbol which is the same as for Not Secure HTTPS. Does that make sense? Let’s assume that this is still a beta and Google will work out the bugs.
This is a good exercise to evaluate whether or not you’re using best practices in establishing SSL security. Try checking the details of your sites.