Chrome flagging googlemail as insecure content

Topic

New Reply

Last week I started to use the Chrome browser and was amazed by the speed compared to IE8.

The day before yesterday Chrome updated itself to version 4.0.249.78 and now it’s noticeably slower!

And now, when using googlemail, there’s a triangle with an exclamation mark in the address bar.

It says: “This page contains some insecure content” but it’s not there when using IE8.

Anything to worry about, or just google googling itself in the foot?

Reply | Quote

Replies

Last week I started to use the Chrome browser and was amazed by the speed compared to IE8.

The day before yesterday Chrome updated itself to version 4.0.249.78 and now it’s noticeably slower!

And now, when using googlemail, there’s a triangle with an exclamation mark in the address bar.

It says: “This page contains some insecure content” but it’s not there when using IE8.

Anything to worry about, or just google googling itself in the foot?

Hiya.
I noticed the same thing this morning but I’m not using Chrome
I’m using Firefox to a Google/Dell homepage and when I click on the googlemail link, it comes up with a red exclamation point over the lock icon in the lower right hand corner.
This has the same message about insecure content.
When I manually type the googlemail address into the title bar, the exclamation point goes away.
?

Reply | Quote

Here’s what I get when I click the warning triangle.

Reply | Quote

Google G-Mail has security issues, but what is being flagged here may be that by default, the G-Mail log in page is unsecured. You can switch to a secure log in, but the page will still contain some unsecured content. This should not be a security concern, as long as you make sure that yu are using the secure log in if the choice is not pre-selected for you.

-- rc primak

Reply | Quote

Hi Bob.

No, it’s not the log-in page. That has the padlock and everything’s okay there.

It’s the actual page with my inbox etc. The padlock then gets replaced with the exclamation triangle and insecure warning.

I’ve since found loads of other people reporting the same thing. It seems to be something to do with “chat” or some other add-on.

I run googlemail – and everything else – as lean as I can get it so even with these things disabled something’s not right.

Notice also how it says “insecure” and not “unsecure”. Maybe they should put Googlemail on Prozac!

Cheers Bob.

Reply | Quote

Hello,
Same with me. It’s not on the login page and it shows up only when I stay signed in and open the googlemail inbox from a link on the Dell/Google homepage. When I manually type in the googlemail dot com address into the navigation bar, it goes away. It sometimes happens with my bank homepage as well. The sign in page with show up with a warning, but when I type in the bank site manually, it goes away.

Reply | Quote

Sorry, folks — right reason, wrong Google Page.

What happens after Google log-in is that you are taken to the Google G-Mail Home Page. This page does indeed link to unsecured Google services, like Chat and maybe some of the ad links. Depending on your other sign-ups (like Google Groups, which is a Public Area, and also not secured), additional unsecured elements may be present. But rest assured, the actual reading and downloading of G-Mail or using G-Mail as Web Mail, will not lower your security protections. If you don’t trust unsecured content, Firefox with NoScript will block most of the unnecessary unsecured scripts from running. This does not impair your use of G-Mail. Also be aware that the Google SendMail (outgoing mail) servers, both client-based and Web based, are not secure in any way, and are not encrypted. Use at your own risk.

When using NoScript, it is very obvious how to enable only a few scripts which clearly say “Google” in them. Only allow these scripts to run. Leave all other scripts disabled. This is for Firefox users only. IE uses Active-X, and with that present, good luck staying secure! Chrome is secure enough without modifications.

For the record, the entire Internet backbone through which all Web communications pass, is not considered secure. Things can be intercepted and pieced together. Not a common source of problems for most of us, but something to keep in mind.

Privacy is another matter, but this is inherent in all Google services. Google does read and reorganize your mail for you, and advertisers do get your personal information and e-mail contents as keywords, so that they can target the ads they will show you while you are using any of Google’s services. That’s what “Ad Supported” means to Google. It’s how they pay their bills.

If you don’t like these Google privacy implications, try Yahoo MailPlus ($19.99 per year, if you want POP Client access), as I have done for years, without any security breaches. The Yahoo Mail Home Page also contains some unsecured elements. It’s really no big deal — I trust Yahoo, but I keep my web shields up.

All of this having been said, the most likely way your e-mail activities could end up being passed into hostile hands, is through your browser. It can be bugged, hijacked, cross-scripted, and many other scary things. Protect yourself by using antivirus/antispyware programs with Web Shields or Browser Shields, and use Firefox not IE. All of the Windows Secrets Lounge favorite free antivirus and antispyware products offer web shields of some sort. Just don’t get too hung up on every alert. Some alerts are more important than others, and it takes a bit of experience to tell the difference. It’s not something I can teach you; you just get a “feel” for it after awhile. And I do make mistakes — that’s what weekly scans are for.

Do not fall for the false claims that browsers can be “sandboxed” (isolated from the Windows System Files). Under Windows, this is simply not true (although Google’s Chrome browser can come close). Don’t pay something for nothing for these types of products.

With Firefox, use NoScript to avoid some (but not all) cross-site scripting and clickjacking threats. And don’t get phished — open e-mail links only by copy/paste into the location bar of Firefox. You will see if you are about to be taken someplace other than where the e-mail link said it would take you.

In general on the Internet, don’t get hung up on security warnings about secure pages with insecure content. What you need to be very wary of, is any totally unsecured Web page which is asking you for any personal information. Stay away from those types of sites.

-- rc primak

Reply | Quote

Hello Bob and Peppur101. Thanks Bob for taking the time to post your thorough reply. Loads of helpful stuff in there to assure me and Peppur.

At the moment, or until it breaks, I’m on Vista/Chrome/Kaspersky suite. The 2010 Kaspersky takes an age to load at boot, but for some reason I like it.

It “sounds” good to me, and it sandboxes IE8 which can only be a good thing. I’ve never liked the “sound” of Firefox.

In yesterdays Saturday Guardian (UK broadsheet newspaper) Google had full-page ads promoting Chrome, which for some reason I was reassured by.

Given my bizarre rationale on picking software by how cool it sounds, it’s a wonder I’m still here!

Thanks again for all that info, Bob. Cheers.

Reply | Quote

Maghully Back said:

“It “sounds” good to me, and it sandboxes IE8 which can only be a good thing. I’ve never liked the “sound” of Firefox.”

Sorry, folks, but Kaspersky is engaging in advertising hype. It is technically IMPOSSIBLE to isolate IE8 from the Windows System kernel under any version of Windows.

IE is intimately tied into the Windows System kernel in all of its operations. Worse, applications make IE calls which do not open up the full browser. Any application which runs with any Administrator privileges (and all commercial Windows Applications do this) can open IE windows which are totally unprotected by any security program which tries to “sandbox” the browser. What Kaspersky and Zone Alarm Extreme Security are doing is shielding the browser, nothing more. In this regard, you might as well be using a free Antispyware product.

Firefox is almost as closely tied into the Windows system kernel as IE, but it does not run Active-X or certain other high-risk content-delivery systems. Better than IE, but not possible to sandbox under Windows.

Only Chrome runs its processes without Administrator privileges, can be installed directly into a Limited User Account, and installs on a per-user basis. This is not perfect isolation, but it comes pretty close. I would think that if Kaspersky can sandbox any browser, it would come closest with Chrome. And if one Chrome window crashes, other open Chrome tabs will continue to function, which further illustrates that Chrome processes are well-isolated under Windows. At least as well-isolated as is technically possible.

Still, due to Google privacy policies, I would classify Chrome as an ad-supported browser, and all the privacy concerns that involves. I would not touch Chrome with a ten-foot polecat.

Stick with what works for you, but be aware that some of the claims of “sandboxing the browser” are nothing but high-priced snake-oil.

-- rc primak

Reply | Quote

Yeah okay, but the little broom thing looks way cool.

Reply | Quote

Update. Here’s what I’ve found out so far. Nothing that new actually . . .

When using Chrome or IE8, the Googlemail log-in page is encrypted, with the padlock and everything.

Then when at your Googlemail in-box using IE8, “This connection to the server is encrypted”. Like you’d expect.

But when at your Googlemail in-box using Chrome, the connection to the server is UNencrypted. Scary.

Like I said in my original post, Google are Googling themselves in the foot here. Not very reassuring at all.

And what Chrome does to Paypal pages is positively frightening. It turns them into the most amateurish-looking phishing pages.

So my little Chrome expedition lasted a week. I’m back on IE8.

Reply | Quote