Secure browsing with Chrome and Firefox

Google is leading the push to an encrypted and more secure internet. The Chrome browser’s security team is changing the way Google Chrome handles web pages, with Firefox playing catchup.

Have you noticed that little padlock icon that often appears on your browser’s address bar? Look at the left end of the navigation bar. What do you see?

On Chrome: 

On Firefox: 

On Internet Explorer (to the right): 

 

With the default HTTP protocol (the S stands for ‘secure’) all information is sent in plain text (unencrypted); any computer in between the sender and receiver can read the traffic. The padlock with the HTTPS means that the connection between your computer and the computer at the other end is secure, i.e. the traffic is encrypted and information cannot be snooped by a third party in transit. This is why people who build websites in a responsible fashion have at least ensured that their login pages and sensitive information (such as credit card information) is served over HTTPS instead of HTTP.

If you click on the padlock, you might see some more information that helps verify that the site is indeed owned by those who claim to own it. Like so:

Nevertheless, few people actually watch out for the padlock to see whether the sites that they login to are secure. We need something simpler. This is what Chrome and Firefox have done: when a user goes to a page that requires sensitive information to be put in, it checks whether the connection is over HTTPS. If it is not, they warn the user that the page is not secure.

See what happens when I click the ‘login’ box for Qantas’ site.

Chrome:

Firefox:

What if a technically-informed user tries to force the website to use HTTPS, but the site tries to ‘downgrade’ to HTTP? See the example when I navigate to https://www.trivago.hk

On Chrome:

On Firefox:

Also notice how different these warnings are from equivalent warnings in Internet Explorer:

While it does look ugly and slightly menacing, we have come across them enough times, especially at our workplaces, that we have learned to click through the warning to reach the sites that we wish to reach. Chrome and Firefox makes the clicking a little bit more difficult in order to secure their users.

The major browsers, including Safari and IE/Edge have gone further for sites that they consider to be actually malicious. They block them to prevent the user from unintentionally accessing them.

The long-term goal from Google is to make all sites use HTTPS so that our browsing is generally more secure. Google will give HTTPS-using sites an advantage over sites that do not use it in their search results. The plan was announced in advance so that website owners would have the time to make the required changes. It has also given Mozilla time to catch up and join the plan.

 

What can you do to improve your browsing security?

  1. Use a modern browser such as Chrome or Firefox (stop using Internet Explorer) that puts in the effort to protect you.
  2. Use the ‘HTTPS Everywhere’ add-on from EFF (Electronic Frontier Foundation) to force sites to use HTTPS if there is an HTTPS version.
  3. Use an ad-blocker to prevent malicious advertisements from showing up.

Also see:

https://www.essaysonsecurity.com/2016/12/21/securing-yourself-online/

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

https://support.mozilla.org/t5/Protect-your-privacy/How-to-stay-safe-on-the-web/ta-p/26286