Plain HTTP Labeled "Not Secure" in Chrome | VerSprite TLS Encryption Plain HTTP Labeled "Not Secure" in Chrome | VerSprite TLS Encryption

Plain HTTP Websites Labeled “Not Secure”

Written By: Zach Varnell

http not secure

Is Your Site Labeled “Not Secure”?

As of the latest release of Chrome, sites not using TLS encryption are being called out in the address bar. Users will now see a “Not Secure” label when visiting sites over plain HTTP, even if the site does not transmit sensitive information.

HTTP Not Secure

HTTP May Impact Google Rankings

While this warning does not elevate the severity of lacking TLS encryption, it may cause customers and partners who do not understand the nuance of the situation to assume the business is “Not Secure” altogether.

In 2014 Google began to treat HTTPS use as a ranking signal for their search engine results. While this signal does not currently carry much weight, Google has expressed that it may strengthen the signal over time.

Using Valid Signed Certificates

VerSprite suggests enabling TLS with strong ciphers on all sites, both external and internal.

It is important to use valid, signed certificates even with internal assets so that employees do not become accustomed to bypassing security warnings, a practice that increased the likelihood of falling victim to phishing attacks.

To ensure systems have the most secure TLS configurations, review the suggestions given by Mozilla on their SSL Configuration Generator and Security/Server Side TLS pages.

Secure Apache Configuration

A secure Apache configuration for modern browsers might look like the following:

SSLProtocol1111111111111all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite1111111111ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLHonorCipherOrder11111on
SSLCompression1111111111off
SSLSessionTickets1111111off

After TLS has been implemented, regularly test the configurations using Qualys’ SSL Server Test or the testssl.sh script.

VerSprite's Approach to Security

At VerSprite, we approach security from a holistic risk management perspective, understanding security from business and attacker perspectives.

Our approach goes beyond assessing security controls. We examine credible threats to understand the likelihood of a real-world abuse case and measure the magnitude of business impact if a breach should occur. By developing a holistic business risk view, security decisions become business decisions. Explore Security Offerings →

Receive Security News





We are an international squad of professionals working as one.

logos