Ask LH: Why Does Chrome Think Gmail Is Insecure?

Dear Lifehacker, Google Chrome’s security padlock is freaking me out. When I’m on sites that should be secure—like, say, Gmail—Chrome is giving me warnings that the page isn’t secure. What’s going on here? Signed, Sensitive to Security

Hey StS,

We’ve heard this question a lot, and while you can read a lot about Chrome’s web site security indicators on their help page, I talked to Ian Fetteru, Senior Product Manager on the Google Chrome team, to get a clearer picture of why this is happening—specifically in Gmail accounts—and why, most of the time, it’s not something you need to be too concerned about. Here’s what I learned.

Understanding Chrome’s Security Indicators

Chrome’s address bar displays one of several icons next to the URL of the sites you’re visiting, and these icons indicate whether you’re browsing on a secure site or not.

If you’re browsing a site that uses HTTPS (the secure, encrypted version of HTTP), you’ll see some version of the padlock icon, and you may or may not also see the extended validations (EV) indicator. If you go to a bank, for example, you’ll often see a green bar that demonstrates that a site has a EV certificate. This is basically extra documentation that proves that they are the company they say they are.

The EV is the most helpful thing Chrome does to help you know a web site is who it says it is, but not all sites have that; in fact, most, apart from sites dealing with money or security (like banks or, say, the web site for password management tool LastPass). When a site doesn’t provide an EV, you’ll see either the lock (which means you’re still connected to the site using an HTTPS connection) or the globe (which means you’re browsing using an unencrypted HTTP connection).

If you see the globe in the address bar, keep in mind that everything you’re seeing on that page could also be seen by someone else on the same public network as you—and people sharing the public Wi-Fi could potentially snag your authentication cookies and, say, navigate Facebook as though they’re you. (That’s how Firesheep works .)

The green lock is the ideal icon, from a security standpoint. If you see this, you know that you’re on a secure HTTPS site, everything served on the page is being served over a secure HTTPS connection, and if you’re browsing the site over public Wi-Fi, no one’s going to see your stuff or be able to hijack your cookies.

What About When The Padlock Displays Warnings?

Things can go wrong: On some secure sites, images or other embedded page elements are served over HTTP instead of HTTPS. So if you were browsing your bank account on a public hotspot, for example, and the bank’s logo were being served from an HTTP connection, while the actual information on the page was coming over HTTPS, someone on the same network might be able to see the logo of your bank, but not any of the private information that’s being served to you over HTTPS. When a site is serving mixed content, you’ll either see the padlock with the yellow warning sign or the padlock with the red x. Here’s the difference:

This yellow warning padlock appears when the mixed content includes embedded elements like images. It lets you know that some content is being served via HTTP, but that it’s not likely to be content that poses a security risk.

The red x padlock appears when the mixed content includes high-risk embedded content, like JavaScript (high risk content is anything that can change the page).

The red x is what you’d really want to pay attention to. If you’re in an untrusted network, you probably want to avoid browsing sites with the red x padlock that also contain sensitive content. There is high risk content being served over HTTP, meaning a hacker could potentially be injecting JavaScript that could, say, steal your password or your cookies.

So Why Am I Seeing Anything But The Green Padlock In Gmail?

The answer is pretty simple: When you first load—or reload—Gmail, you should see the green padlock. Everything in Gmail is served from a secure HTTPS connection (it’s been the default since sometime last January). However, when you open an email that’s written in HTML, and you allow Gmail to display embedded images, often those images will be loaded from another site that’s not using HTTPS. As soon as you load an emails with embedded images, and those images are coming over HTTP, your padlock will change from the green padlock to the yellow warning padlock.

Because Gmail doesn’t reload the page when you switch between emails and inboxes, the padlock will remain in mixed-content mode until you reload Gmail entirely.

According to Ian, other possible offenders (i.e., reasons your padlock may not be green) include Gmail Labs features and various browser extensions. The Gmail team aims to make sure that Labs features are 100% HTTPS, but they’re not always launched without mixed content. (They are experimental features, after all.) Regarding extensions, well—those are in your hands, and the Chrome team can’t control whether or not they’re introducing mixed content into your sites.

If you’re simply using vanilla Gmail (that is, with no extensions installed or Labs features enabled), you definitely shouldn’t see a red x padlock in Gmail. If you do—well, I’m not sure what might be the cause. (Ian’s from the Chrome team—if anyone out there from the Gmail team has a suggestions for why it might be happening, we’re all ears!)

Hope that helps!

Cheers
Lifehacker