Why Does My Browser Say that UMB’s Website is Not Secure?

May 19, 2015   |  By Chris Phillips

Have you recently connected to a University website using the Chrome browser, and been concerned at seeing a “not-secure” symbol on the address bar?  Here’s what this is all about:

As explained in a recent Elm article, when an Internet address starts with https: (instead of simply http:) this means that an extra secure layer—some kind of data encryption—is added to the data transmission to and from that website.  A widely–used standard of encryption, designed by the United States National Security Agency (NSA) and considered a U.S. Federal Information Processing Standard (FIPS), is known as SHA-1, where SHA stands for Secure Hash Algorithm.

But SHA-1 is getting old now and therefore increasingly vulnerable to attack by code-breaking criminals. So government as well as industry-leading standard setting groups have all officially “deprecated” it—that is, marked it for replacement by something newer and stronger, such as SHA-2 or above, as soon as website owners can manage to do so, which is why the companies behind the major web browsing applications announce their upgrading plans years in advance.  For example, it was 2013 when Microsoft announced that Windows will stop accepting SHA-1 certificates as evidence of websites’ security by 2017, and Google (maker of Chrome) and Mozilla (maker of Firefox) have since set the same date.

If you have recently connected to a University website using the latest version of the Google Chrome browser (Chrome 41 or above) you probably received a symbol on the address bar implying that the site is not secure.

This error message is Google’s attempt at trying to force the issue regarding the move to a more secure encryption algorithm (SHA-2).  You should know that there are currently no known practical attacks on SHA-1 and it is likely that such attacks are a few years off, but Google has decided to make a statement by highlighting the issue with the latest version of their browsers.  Firefox, Safari and Internet Explorer are currently not being designed to do this.  To be clear, you are not connecting to an insecure service, regardless of the look of the warning.  By continuing to connect to the UMB system your session is still being encrypted.

CITS is in the process of evaluating a move to upgrade the security certificates on all of our supported systems, being mindful that a wholesale changeover could cause problems with older computers and smartphone devices.  The migration to SHA-2 will proceed in a systematic fashion in order to minimize the impact to the user community, since we will have to evaluate all existing hardware and software to make sure that it can support SHA-2 certificates.  Where problems are found, either or both areas will be upgraded as necessary. 

For additional detail, see the CITS Security and Compliance website.