Ask LH: Why Does Chrome Think Gmail Is Insecure?

4
Ask LH: Why Does Chrome Think Gmail Is Insecure?

Dear Lifehacker, Google Chrome’s security padlock is freaking me out. When I’m on sites that should be secure—like, say, Gmail—Chrome is giving me warnings that the page isn’t secure. What’s going on here? Signed, Sensitive to Security

Hey StS,

We’ve heard this question a lot, and while you can read a lot about Chrome’s web site security indicators on their help page, I talked to Ian Fetteru, Senior Product Manager on the Google Chrome team, to get a clearer picture of why this is happening—specifically in Gmail accounts—and why, most of the time, it’s not something you need to be too concerned about. Here’s what I learned.

Understanding Chrome’s Security Indicators

Chrome’s address bar displays one of several icons next to the URL of the sites you’re visiting, and these icons indicate whether you’re browsing on a secure site or not.

secure, encrypted version of HTTP

The EV is the most helpful thing Chrome does to help you know a web site is who it says it is, but not all sites have that; in fact, most, apart from sites dealing with money or security (like banks or, say, the web site for password management tool LastPass). When a site doesn’t provide an EV, you’ll see either the lock (which means you’re still connected to the site using an HTTPS connection) or the globe (which means you’re browsing using an unencrypted HTTP connection).

Firesheep works

What About When The Padlock Displays Warnings?

Things can go wrong: On some secure sites, images or other embedded page elements are served over HTTP instead of HTTPS. So if you were browsing your bank account on a public hotspot, for example, and the bank’s logo were being served from an HTTP connection, while the actual information on the page was coming over HTTPS, someone on the same network might be able to see the logo of your bank, but not any of the private information that’s being served to you over HTTPS. When a site is serving mixed content, you’ll either see the padlock with the yellow warning sign or the padlock with the red x. Here’s the difference:

The red x is what you’d really want to pay attention to. If you’re in an untrusted network, you probably want to avoid browsing sites with the red x padlock that also contain sensitive content. There is high risk content being served over HTTP, meaning a hacker could potentially be injecting JavaScript that could, say, steal your password or your cookies.

So Why Am I Seeing Anything But The Green Padlock In Gmail?

since sometime last January

Because Gmail doesn’t reload the page when you switch between emails and inboxes, the padlock will remain in mixed-content mode until you reload Gmail entirely.

According to Ian, other possible offenders (i.e., reasons your padlock may not be green) include Gmail Labs features and various browser extensions. The Gmail team aims to make sure that Labs features are 100% HTTPS, but they’re not always launched without mixed content. (They are experimental features, after all.) Regarding extensions, well—those are in your hands, and the Chrome team can’t control whether or not they’re introducing mixed content into your sites.

If you’re simply using vanilla Gmail (that is, with no extensions installed or Labs features enabled), you definitely shouldn’t see a red x padlock in Gmail. If you do—well, I’m not sure what might be the cause. (Ian’s from the Chrome team—if anyone out there from the Gmail team has a suggestions for why it might be happening, we’re all ears!)

Hope that helps!

Cheers
Lifehacker

Comments

  • Very helpful article. I could not figure out what was going on with that padlock. Since I recently had my account hacked by someone in China, I was particularly concerned–so thanks for the info!

    • hey matt it is one of your extensions on the browser as the gentleman said try this i did and all i got was green . open and incognito window and open your gmail . youll see nothing but green . the incognito browser disables your extesions which end our problem!!! that guys response helped me too.

  • thanks for that article about why i am getting a red x on my security advisor. i notice however when i open an incognito window it disables all extensions , therefore bringing it back to green . i was really concerned about this and alwmost stopped using chrome , which would kill me . i dont use anything else. thankws again

Log in to comment on this story!