Chrome browser security tweak could badly impact loads of popular websites

News
By Darren Allan
published

Warnings over insecure sites could see traffic dip severely

The next version of the Chrome browser, which should be released imminently, could cause problems with a whole host of websites.

This is because Google’s browser will no longer support HTTPS certificates issued by Symantec before June 2016, and that includes various legacy certificates from the likes of Equifax, Thawte and VeriSign.

Affected websites include over 1,100 sites in the top million as ranked by Alexa.com, and as Scott Helme, a security researcher, found, they include the likes of Citrus, Pantone, Penn State Federal, the Federal Bank of India, and the Tel-Aviv city government.

Potentially more web pages could be affected, too, as Helme’s search only covered the certificate for the site itself, and not potential elements like sub-resources on a page somewhere on the site which might employ one such legacy certificate.

Certificate clampdown

The move is being made due to worries over the security of these Symantec-issued certificates. As TechCrunch reports, Google (and others besides) previously accused Symantec of issuing ‘misleading’ certificates, and subsequently it was found that the security firm had allowed non-trusted organizations to issue certificates.

Hence Google isn’t happy about their usage in this respect, and so has taken action against these certificates in order to better protect surfers using Chrome.

There are a couple of things to note here. First of all, sites using these certificates have had over a year’s worth of warning to change them, so there isn’t much excuse on the timescale front.

Secondly, Chrome won’t actually outright block sites using these thought-to-be-potentially-dodgy certificates, but it will flag them with error messages about the website being potentially insecure. And more than likely, that will put off the average web surfer from visiting said site, as you can imagine.

As mentioned, this isn’t happening in the current version of Chrome, but rather in the next version – Chrome 70 – which should be released very soon, likely around mid-October.

A few big-name firms have only just changed their website certificate to fall in line with Google’s wishes, and they include Ferrari and Solidworks.

As you may have seen, Chrome recently celebrated a decade of its existence, complete with a fresh lick of paint, plus Google also upgraded its search bar. It’s still very much the dominant browser in the desktop computing world, which means that sites affected by this certificate issue will doubtless feel the pinch when it comes to their traffic.

Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).