34

I work for a corporation and we are all given a kind of employee login system whose URL goes like this in the image below. (Sorry, I cannot disclose the full URL.)

Not Secure

I thought "Not Secure" had something to do with SSL certificates or something like that, but after clicking "view site information", I got this:

enter image description here

I manually blocked Flash, but don't know what possibly can be done with cookies and also if possible I couldn't take a risk for doing that on a corporate website.

I have a few questions in mind:

  1. What exactly does "Not Secure" mean? Does it mean it's a "HTTP only" website?

  2. What are all the possible reasons for a site to be "Not Secure"?

  3. Is it OK to have an account login site that is "Not Secure"?

  4. Do cookies have something to do with a site being not secure?

  5. What are possible ways to make this site secure and how can I inform those responsible to make it secure?

schroeder
  • 123,438
  • 55
  • 284
  • 319
C0deDaedalus
  • 728
  • 1
  • 8
  • 17
  • 10
    Note that the further information says “Your connection to this site is not secure”, rather than “This site is not secure” (the latter may mean things like the site having known vulnerabilities or whatever): when Chrome shows “Not secure” in the address bar, it means only the former (the connection is insecure). – ShreevatsaR Feb 12 '18 at 02:57
  • 2
    It may not be applicable here (but could be if the OP has an early version), but build 66 of Chrome (due for public release April 17 2018) will "_warn as not secure_" any HTTPS connection backed by most Symantec-derived certificates (see [story on The Register](https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/)). – TripeHound Feb 12 '18 at 09:44
  • 1
    You could easily disclose the scheme (`http[s]://`) part and it would be fairly evident if the HTML was downloaded with one or the other. – Nick T Feb 12 '18 at 23:41
  • Hmm, this made me wonder: If it were possible to do Tunneling, and send HTTP over HTTPS would that make HTTP "secure" (late night though) – DarkCygnus Feb 13 '18 at 04:03
  • 2
    Just got mail reply(After 14 hours) from `Senior Admin` that "We are on a move to make it better and more secure." – C0deDaedalus Feb 13 '18 at 04:40

3 Answers3

50

What exactly Not Secure means ? Does it means HTTP only website ?

"Not secure" in Chrome means that the site isn't using HTTPS.

What are all possible reasons for site being Not Secure ?

To get the exact error above, it's just when a site doesn't use HTTPS. However, you can get a similar not secure error if the site's certificate is invalid or if there isn't HTTPS over the whole page.

Is it OK to have an Account Login Site asNot Secure ?

No, this is not ok - if somebody can intercept a login request, they can see the user's login credentials. IBBoard made a good point in the comments - having a login site without HTTPS which is on the internal corporate network isn't as dangerous as it being a public site where it can be accessed from your home PC. It's still not secure but the only people who can really MiTM the connection are the company system administrators (assuming the network is setup correctly).

Do Cookies have something to do regarding site as being not secure ?

If the site isn't using HTTPS, this means cookies are sent in the clear. This could cause issues when the cookies contain sensitive data such as tokens, which can lead to session hijacking.

What are possible ways to make this site as Secure and How can I inform the responsible ones to make it Secure ?

By using HTTPS with a valid certificate, Chrome will mark the site as "Secure". However, as stated by Edu, even a website with a valid certificate can be non-secure if is also serving non-secure content such as HTTP images. Mixed content (Having HTTP items in HTTPS pages) is considered non secure. If you're concerned about the security of this login site, I'd express your concerns to the IT department and see what they can do about it.

Joe
  • 2,734
  • 2
  • 12
  • 22
  • 5
    For the fifth question I would also add that even a website with a valid certificate can be non-secure if is also serving non-secure content such as http images. Mixed content (Having http items in https pages) is considered non secure. – Edu Feb 11 '18 at 23:42
  • @Joe On a semi-unrealated side note, My IT Admin said "It's all OK untill you open it in Chrome/Chromium !" That's Strange ! So, Is it possible that a site marked as `Not Secure` in Chrome/Chromium, can be secure in some other browser ? – C0deDaedalus Feb 12 '18 at 04:10
  • 2
    Important note: it's possible the site _allows_ HTTPS with a valid setup, but doesn't redirect you to _require_ it. (For a while, there was a popular extension called HTTPS Everywhere that would automatically redirect the URLS of Facebook, etc., to use HTTPS because of this problem.) So, it's possible that the site already has a valid certificate, and the IT department just needs to set up a redirect to HTTPS. – SirTechSpec Feb 12 '18 at 06:55
  • 3
    @Joe : the connection to this server is `not secure` as disclosed by Chrome, this is a protocol problem (the connection isn't encrypted for the full page content). This vulnerability is usable on any network on which your communication travels. This vulnerability is fully independant of the browser you use. Chrome is the most trustworthy browser on this particular point. – dan Feb 12 '18 at 07:04
  • 17
    @C0deDaedalus - your sysadmin is wrong. If the page is insecure (HTTP only, or mixed HTTP/HTTPS) then it is insecure whichever browser you use. The difference is that Chrome is warning you about it. – IBBoard Feb 12 '18 at 09:24
  • 4
    One pragmatic caveat that I'd add on "Is it OK to have an Account Login Site asNot Secure ?" is around whether this is an intranet site (i.e. only on an internal Corporate network and not accessible from your home PC or other computers). If that's the case then it still isn't secure *but* the only people who can really Man-in-the-Middle that connection are your company sysadmins - who generally already run both the server and your machine, and so have the keys to the kingdom. It's not perfect and should ideally be fixed, but it is lower risk than public websites reporting as insecure. – IBBoard Feb 12 '18 at 09:28
  • @IBBoard what you say is not strictly correct. Chrome is known to blacklist certificate authorities at will, and much earlier than other browsers/OSes. While the connection stays fully encrypted, Chrome begins to show it as "not secure" because they don't like the certificate authority (see: StartCom, Symantec, etc.). – Spc_555 Feb 12 '18 at 10:22
  • 3
    @VasilyAlexeev You mean the certificate authorities that Mozilla and Apple are also rejecting because they breached CA requirements and hence their certificates can't be considered to be "correctly issued" and could be insecure? – IBBoard Feb 12 '18 at 14:39
  • @IBBoard: Yes, it's true that if you have a malicious sysadmin, you're in all kinds of trouble. However, even my sysadmins don't know my password. They can reset my password, but then I notice. So there could still be a value to them in doing a MITM to get my password in order to impersonate me (and so cover their own tracks). Chances are it's minimal, but it's not zero. – Adam Feb 12 '18 at 14:54
  • 6
    To be honest, I'd rate "having a login page on http" as a bigger security risk than "disclosing an internal URL on SO" :) And a much bigger security risk is having sysadmins who allow http in the first place and think it's secure in other browsers just because they don't (yet) warn about it! – Adam Feb 12 '18 at 14:55
  • 2
    @Adam But if you've got a malicious SysAdmin then they don't need to MitM you on the intranet. They could instead backdoor the web app and collect your credentials that way. By that point then the SSL layer has been decrypted and you've got the plain text data. The only group of SysAdmins you'd be protected against with HTTPS would be network-only SysAdmins. – IBBoard Feb 12 '18 at 15:12
  • 3
    If login credentials are sent in the clear, then you don't need MITM to eavesdrop on them. In many network configs (most obviously Wi-Fi networks that are either unencrypted or PSK), it's possible for unprivileged users to passively intercept all traffic, which would be enough to get the login credentials. – James_pic Feb 12 '18 at 16:11
  • 1
    @James_pic And anyone connected to a Wi-Fi network can read the data sent by anyone else on the network. – Toothbrush Feb 12 '18 at 18:03
  • @IBBoard `but the only people who can really Man-in-the-Middle that connection are your company sysadmins` assuming everything else is also set up correctly. Any incorrect configuration in the network may accidentally route traffic outside the secured part of the network (and then back in). – Martin York Feb 12 '18 at 19:00
  • It can also mean the certificate provided is from a non-trusted CA. – Caterpillaraoz Feb 13 '18 at 08:55
  • 1
    @Adam Your sysadmin can install arbitrary software with administrative rights on your machine. Much easier than waiting for you to access a site and logging traffic. Well except that it's even easier than that, because they also control the backend server that does handle your credentials in plaintext (HTTPS only helps during transport after all). – Voo Feb 13 '18 at 13:19
6

Does not secure mean HTTP

Yes, at the moment there are rules about which sites using http will show as not secure, which are available here.

Why would this site show at not secure

There are 2 main options:

  • it has a password input
  • it has a credit card input
jrtapsell
  • 3,169
  • 15
  • 30
  • 8
    Basically, Chrome will display that warning whenever there's any kind of input field or form on the page. From this summer, Chrome will always show this warning, regardless of it having any input fields/forms or not. https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn – techfly Feb 12 '18 at 13:34
4

To be precise: “Insecure” refers to your connection to the server, not necessarily the server itself. It could be that a server offers http as well as https connections. Ideally, it would then redirect any http access to https. If it does not you need to specify the https: protocol explicitly in the URL. Talk to your sysAdm in this case.

Renardo
  • 141
  • 1