Is Chrome flagging your bank's website for weak security?
The last thing you might think of when logging into your online banking pages are, "is this site really secure?" You tend to take it for granted.
But if you've visited banking giants HSBC and Chase in recent days, you may be missing something you should normally expect -- your browser's address bar lighting up in bright green to assure you that your connection is secure.
That's because Chrome, used by more than one-third of all visitors to US government websites, flags up these two sites -- and many others -- as using a "weak security configuration," while warning you that your connection "may not be private."
Security researchers say that things aren't as bad as you think. After all, the same websites visited in Internet Explorer, Firefox, and Safari appear to be "secure."
But it's a far cry from being as sound as they could be -- and could pose a significant risk to customer security if left unchecked.
"Dangerously weak"
Chrome will flag both HSBC and Chase's websites because they are using a security certificate, used to encrypt data flowing between your computer and a website, signed with "dangerously weak" SHA-1 cryptography, says encryption expert Eric Mill.
The good news is that SHA-1 has since been replaced by a newer, better version -- the aptly named SHA-2. The bad news is that SHA-1 is still used to sign about 90 percent of all website security certificates, and hackers are closer every year to finding an attack that allows them to decrypt secure traffic.
"As time goes on, new weaknesses in hashing algorithms are revealed by researchers, and faster hardware makes it easier to exploit those weaknesses," said Mike MacCana, founder of SSL startup CertSimple, in an email. "The result is that it becomes possible to create two documents with different contents but the same hash, so a digital signature can be re-used on another document -- allowing hacking groups, organized crime, and governments to impersonate others."
That's why the latest versions of Chrome will flag these sites as potentially risky.
Google, which develops the browser, previously said it will no longer accept SHA-1 certificates in 2017. (Microsoft and Mozilla will also follow suit.)
Simply put, those "secure" websites won't appear secure for much longer.
"Working on borrowed time"
Veteran security expert Dan Kaminsky said in an email that Chrome is being "remarkably aggressive" deprecating SHA-1. "Unlike pretty much everything else in security, cryptographic quality is easily measured," he added.
In other words, these red flags could have been avoided.
According to Chrome developers, an obsolete warning can mean that the connection between your computer and the site is using an outdated cipher suite. To get a "modern cryptography" status, the developers write, forward secrecy and a more up-to-date cipher suite are needed.
Cryptographer Justin Troutman said in an email that HSBC and Chase are "working on borrowed time," but the sites do not pose an immediate risk to customers.
"It's best to take on a sense of practical paranoia, where we actively take steps to move away from functions that are showing signs of failure," he said. "In the meanwhile, they need to step up to the plate and migrate to SHA-2. That's the logical step forward at this time. I don't think Firefox is wrong for marking these sites as secure, because they probably are, for all intents and purposes (for the time being)."
MacCana, whose firm helps other companies improve their online practices, said there is a "worrying lack of attention to their website security."
"The solution for website owners to prevent these attacks -- and get rid of Chrome's warnings -- is simple: migrate to a SHA2 certificate. Most SSL vendors will allow website owners to rekey existing certificates for no additional charge," he said.
Neither HSBC nor JP Morgan, which owns Chase, provided a comment at the time of writing. If we hear back, we'll update the story.