Does "Not Secure" mean HTTP?

Question

I work for a corporation and we are all given a kind of employee login system whose URL goes like this in the image below. (Sorry, I cannot disclose the full URL.)

I thought "Not Secure" had something to do with SSL certificates or something like that, but after clicking "view site information", I got this:

I manually blocked Flash, but don't know what possibly can be done with cookies and also if possible I couldn't take a risk for doing that on a corporate website.

I have a few questions in mind:

What exactly does "Not Secure" mean? Does it mean it's a "HTTP only" website?
What are all the possible reasons for a site to be "Not Secure"?
Is it OK to have an account login site that is "Not Secure"?
Do cookies have something to do with a site being not secure?
What are possible ways to make this site secure and how can I inform those responsible to make it secure?

Note that the further information says “Your connection to this site is not secure”, rather than “This site is not secure” (the latter may mean things like the site having known vulnerabilities or whatever): when Chrome shows “Not secure” in the address bar, it means only the former (the connection is insecure). — ShreevatsaR, Commented Feb 12, 2018 at 2:57
It may not be applicable here (but could be if the OP has an early version), but build 66 of Chrome (due for public release April 17 2018) will "warn as not secure" any HTTPS connection backed by most Symantec-derived certificates (see story on The Register). — TripeHound, Commented Feb 12, 2018 at 9:44
You could easily disclose the scheme (http[s]://) part and it would be fairly evident if the HTML was downloaded with one or the other. — Nick T, Commented Feb 12, 2018 at 23:41
Hmm, this made me wonder: If it were possible to do Tunneling, and send HTTP over HTTPS would that make HTTP "secure" (late night though) — DarkCygnus, Commented Feb 13, 2018 at 4:03
Just got mail reply(After 14 hours) from Senior Admin that "We are on a move to make it better and more secure." — C0deDaedalus, Commented Feb 13, 2018 at 4:40

Joe · Accepted Answer · 2018-02-12 19:31:49Z

49

What exactly Not Secure means ? Does it means HTTP only website ?

"Not secure" in Chrome means that the site isn't using HTTPS.

What are all possible reasons for site being Not Secure ?

To get the exact error above, it's just when a site doesn't use HTTPS. However, you can get a similar not secure error if the site's certificate is invalid or if there isn't HTTPS over the whole page.

Is it OK to have an Account Login Site asNot Secure ?

No, this is not ok - if somebody can intercept a login request, they can see the user's login credentials. IBBoard made a good point in the comments - having a login site without HTTPS which is on the internal corporate network isn't as dangerous as it being a public site where it can be accessed from your home PC. It's still not secure but the only people who can really MiTM the connection are the company system administrators (assuming the network is setup correctly).

Do Cookies have something to do regarding site as being not secure ?

If the site isn't using HTTPS, this means cookies are sent in the clear. This could cause issues when the cookies contain sensitive data such as tokens, which can lead to session hijacking.

What are possible ways to make this site as Secure and How can I inform the responsible ones to make it Secure ?

By using HTTPS with a valid certificate, Chrome will mark the site as "Secure". However, as stated by Edu, even a website with a valid certificate can be non-secure if is also serving non-secure content such as HTTP images. Mixed content (Having HTTP items in HTTPS pages) is considered non secure. If you're concerned about the security of this login site, I'd express your concerns to the IT department and see what they can do about it.

edited Feb 12, 2018 at 19:31

answered Feb 11, 2018 at 16:49

Joe

2,7642 gold badges14 silver badges22 bronze badges

5

For the fifth question I would also add that even a website with a valid certificate can be non-secure if is also serving non-secure content such as http images. Mixed content (Having http items in https pages) is considered non secure.
– Edu
Commented Feb 11, 2018 at 23:42
3

@Joe : the connection to this server is not secure as disclosed by Chrome, this is a protocol problem (the connection isn't encrypted for the full page content). This vulnerability is usable on any network on which your communication travels. This vulnerability is fully independant of the browser you use. Chrome is the most trustworthy browser on this particular point.
– dan
Commented Feb 12, 2018 at 7:04
17

@C0deDaedalus - your sysadmin is wrong. If the page is insecure (HTTP only, or mixed HTTP/HTTPS) then it is insecure whichever browser you use. The difference is that Chrome is warning you about it.
– IBBoard
Commented Feb 12, 2018 at 9:24
4

One pragmatic caveat that I'd add on "Is it OK to have an Account Login Site asNot Secure ?" is around whether this is an intranet site (i.e. only on an internal Corporate network and not accessible from your home PC or other computers). If that's the case then it still isn't secure but the only people who can really Man-in-the-Middle that connection are your company sysadmins - who generally already run both the server and your machine, and so have the keys to the kingdom. It's not perfect and should ideally be fixed, but it is lower risk than public websites reporting as insecure.
– IBBoard
Commented Feb 12, 2018 at 9:28
6

To be honest, I'd rate "having a login page on http" as a bigger security risk than "disclosing an internal URL on SO" :) And a much bigger security risk is having sysadmins who allow http in the first place and think it's secure in other browsers just because they don't (yet) warn about it!
– Adam
Commented Feb 12, 2018 at 14:55

| Show 11 more comments

jrtapsell · Accepted Answer · 2018-02-11 16:31:16Z

6

Does not secure mean HTTP

Yes, at the moment there are rules about which sites using http will show as not secure, which are available here.

Why would this site show at not secure

There are 2 main options:

it has a password input
it has a credit card input

answered Feb 11, 2018 at 16:31

jrtapsell

3,19716 silver badges30 bronze badges

8

Basically, Chrome will display that warning whenever there's any kind of input field or form on the page. From this summer, Chrome will always show this warning, regardless of it having any input fields/forms or not. developers.google.com/web/updates/2016/10/avoid-not-secure-warn
– techfly
Commented Feb 12, 2018 at 13:34

Add a comment |

Renardo · Accepted Answer · 2018-02-12 22:19:03Z

4

To be precise: “Insecure” refers to your connection to the server, not necessarily the server itself. It could be that a server offers http as well as https connections. Ideally, it would then redirect any http access to https. If it does not you need to specify the https: protocol explicitly in the URL. Talk to your sysAdm in this case.

answered Feb 12, 2018 at 22:19

Renardo

1411 bronze badge

Add a comment |

Stack Exchange Network

Does "Not Secure" mean HTTP?

3 Answers 3

Does not secure mean HTTP

Why would this site show at not secure

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
tls
chrome
.

Linked

Hot Network Questions

Does "Not Secure" mean HTTP?

3 Answers 3

Does not secure mean HTTP

Why would this site show at not secure

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged tlschrome.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
tls
chrome
.