HTTPS icon red and crossed out - Chrome browser

  • What does it actually mean when the HTTPS icon is red and crossed out in Chrome?

    Does this mean that the site is vulnerable to a Man in the Middle Attack? Is it safe or not?

    I was told to send this link to the web developer of the website it is occurring on for them to fix.

  • gowenfawr

    gowenfawr Correct answer

    6 years ago

    When the https portion of the URL in Chrome has a red line through it, there is a problem with the security of the site you are going to. To see exactly what the problem is, you need to click on the padlock and see the detailed connection info.

    Detailed connection info is documented here.

    If you see green padlock, then you've established a secure connection with a trusted site, and do not need to worry about MITM attacks.

    If you see yellow bang, then the connection is unencrypted, and subject to MITM attacks.

    If you see grey padlock or red padlock, then either the connection is only partially encrypted or it's encrypted with a party that's not trusted (e.g., a self signed cert, name mismatch, or imposter). In these cases you may be subject to a MITM attack.

    With these last two, the level of exposure varies. It might be that the remote site is properly encrypted, but just happens to have a few "IMG SRC=http://..." tags that cause mixed content. That "mixed content" can be sniffed on the network. Or, it might be that you've gone to an impostor site "gooogle.com" instead of "google.com", and everything you send is encrypted but going to a malicious attacker. Or anywhere in between. The rule of thumb is, essentially, unless you understand why it's red, you shouldn't trust it.

    Ok thanks for the answer. How serious is this "may be subject to MITM attack" ? I mean is this something that I should be worry about. For example when I see that in ecommerce website. Can someone for example use Wireshark and sniff the packets in local network? Many Thanks.

    Add to this:As of Chrome 42, sites using SHA1-signed certs expiring in 2017 will get the red X icon, and sites using SHA1-signed certs expiring in 2016 gets the yellow triangle.

    `Stackoverflow.com` is getting the red x right now for some reason

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM