The Chrome build 68 went live earlier this month, which brings an anticipated change to HTTPS browser address bar notifications. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 onward.
So what does this mean for you and your network security?
If your website displays “Not Secure”…
You should be very concerned. All responsibility in this situation is on the website owner to make their site compliant with HTTPS/TLS standards. Though we don’t specifically advise on website design and creation, there are good resources out there. To begin with, I recommend starting with Troy Hunt’s recent article on SSL called, HTTPS Is Easy!
How concerned should I be about my employees working online?
I think it’s safe to say you should have a moderate level of concern – this change emphasizes a standard that has been known. “Not Secure” websites have been around for some time, so nothing is technically being changed except the warning to the user. The most important things to keep in mind are the following:
1) First, HTTPS sites are NOT automatically trustworthy.
2) And secondly, non-HTTPS sites should be treated with caution. Sites that display the "Not Secure" warning in Chrome, or only show http:// rather than https:// as the address prefix in any browser, should be treated with extra suspicion, especially when entering information or downloading files.
Your behavior shouldn’t be anything entirely new. This new red flag being presented by Chrome is mostly a reminder to re-emphasize current suggested practices.
Online browsing safety and housekeeping: What precautions can my employees make to be sure they browse online safely?
1. Issue employee training
Understanding the normal dangers of web browser use is an important part of workstation training. Any page that asks for information or invites the user to click on links should be considered carefully. Files downloaded from the internet, whether documents or executables, should be vetted to the best of the user's abilities, including a scan with the local antivirus/security software, or with the scan available on virustotal.com. Hosted advertisements on web pages are often able to load malicious code even without user interaction, so avoid sites with hosted advertisements and use an ad-blocker.
2. Employ browser standardization
Chrome is ideal. Standardizing browsers helps standardize experience and training across employees, increases the level of central control over configurations and add-ins the administrators are able to leverage for security.
3. Uninstall Flash and Java unless necessary for work sites
If it is necessary for work, explicitly allow them to run only on work sites. This isn’t feasible for some users because many professional sites still use Java and Flash. But whenever they can be avoided on a work computer, they should be.
4. Install an ad-blocker browser plugin
uBlock Origin is an ideal browser plugin. An ad-blocker will stop many malicious files from being loaded into the page in the first place and improve the quality of life when browsing the web.
5. Use Two Factor Authentication when available
2FA (Two Factor Authentication) on all available services will decrease the likelihood that an attack based on insecure HTTP will be able to get working credentials, and will make stolen credentials worthless on their own. It's especially important to set this up on your banking and primary personal email. All services that can have it set up, should have it set up.
6. Incorporate the use of a password manager
A password manager with a browser plugin and 2FA (Two Factor Authentication) enabled. LastPass is ideal. This will help you keep passwords that are complex and unique to each service that you use, and help you update them when necessary.
7. Limit recreational browsing on work machines
Everyone needs regular downtime at their desk, but if you use a phone, tablet, or other personal device connected to guest wifi, you’ll be protecting the integrity and performance of your own workstation.
8. Don’t browse the web from a local administrator account
The account used for day-to-day workstation tasks should not have local administrative rights on the machine; a separate local administrative account can be used for installs and other admin tasks. This will prevent web pages from silently loading things that require admin privileges.
9. Only join trusted wifi networks
Several attacks take advantage of HTTP vulnerability through presenting their own wifi network to join and intercepting attempts to browse the internet. If you must join a public wifi network, use a personal Virtual Private Network (VPN).
We implement several anti-virus layers that mitigate browser attacks: local firewall CFS (content filtering service), OpenDNS root hints (to limit access to bad sites), MVPS hosts file (safety redirects on the machine level), Webroot browser and OS (operating system) scanning, and OS/browser updates, among others. Though our customers’ networks have layers of security, not all networks do. So precaution is important in this ever-changing age of business security threats.