Google’s Chrome web browser is used by over 50% of users on the web. When you visit a website that is using SSL, otherwise known as HTTPS or TLS, you see a green message in your browser location bar that says “Secure”. “Secure” in Chrome browser does not mean “Safe”. In this post I will explain why in terms that are easy to understand and tell you what to do about it. I’ve written this post to be easy to read. I’d like to encourage you to share it with friends and family to help them stay secure.
For our technical readers, here is a summary of what we discuss in this post:
We show that SSL certificates are being issued by more than one certificate authority (CA) to phishing sites pretending to be Google, Microsoft, Apple and other well-known companies.
A valid certificate causes Chrome to show a website as “Secure”.
When a certificate is revoked once a CA realizes they should not have issued it, we show that Chrome still shows the site as “Secure”. The “revoked” status is only visible in Chrome developer tools.
Malicious sites that have been issued valid SSL certificates take some time to appear