Make way for HTTPS – Starting July 2018, Google Chrome will mark all HTTP sites as "not secure"
Days of clear-text HTTP, the original but insecure foundation for data communication over the web, are numbered. Over the past few years, Google (and others such as the Internet Architecture Board, Mozilla, and Apple) have nudged developers to encrypt and authenticate their websites using HTTPS which layers HTTP over TLS (Transport Layer Security). This includes measures such as ranking HTTP sites lower in Google search results, not supporting powerful features such as geolocation and service workers, and marking a large subset of HTTP sites as “not secure”. As a result, there has been a significant increase in the adoption of HTTPS, resulting in a more secure World Wide Web.
However the latest announcement from the Google Chrome team could very well be the proverbial final nail in the coffin for HTTP. Starting with the release of Chrome 68 in July 2018, Google Chrome will mark all HTTP sites as “not secure”.
This announcement is a huge deal. With high profile security breaches dominating main stream media in the last few months, end users have become increasingly cautious when browsing websites and especially when sharing personally identifiable information. In such circumstances, the last thing you need is for your website to display a “not secure” sign. While HTTPS by itself does not protect users from all forms of attacks (such as phishing attacks designed to resemble legitimate sites but with hostname variants), it is critical for protecting user data on the wire such as from both “coffee shop” attacks (where data can be intercepted and modified by others on the local network) and pervasive monitoring. It seems evident that, going forward, serving traffic over HTTP only will reduce customer trust, increase bounce rates, and possibly impact revenue and brand value.
At Akamai, we have seen a significant increase in the adoption of HTTPS on our platform. From August 2015 to the present, we’ve gone from having 38% of the hostnames on Akamai with over 100M requests-per-day using our HTTPS platform that supports branded customer HTTPS certificates to having over 57% of those hostnames enabled for HTTPS. On our platform, we’ve also seen the percentage of requests served over HTTPS increase from 48% to 75% over the period of time from July 2016 to December 2017. These line up with what Mozilla has measured, with Firefox telemetry now showing 70% of page loads using HTTPS.
How can I secure my site with HTTPS?
With Akamai’s cloud delivery platform, you can effortlessly deliver HTTPS traffic for all your web properties. Our Standard TLS offering, which is included in most delivery and acceleration products by default, provides one Domain Validated (DV) SAN SNI SSL certificate and secures user connections over the last mile. Customers that have higher security and compliance requirements (such as PCI compliance for digital properties that handle financial transactions) can continue to leverage our Enhanced TLS offering. Your origin server will also need to have TLS enabled as serving HTTPS to end-users, but connecting to origins over insecure HTTP without adequate mitigations can expose your users to security risks.
You will also need to make sure that resources referenced from your site (such as images, CSS, javascript, videos, and the like) are also available over HTTPS or users will receive a “mixed content” warnings in their address bars. After confirming your site works over HTTPS, you will want to enable first “302” (temporary) and then “301” (permanent) redirects from HTTP to HTTPS so that visitors arriving over insecure HTTP get upgraded to HTTPS. Eventually (after quite some time with everything redirecting to HTTPS with no issues) you’ll likely want to enable HSTS (the “point of no return”) to indicate to clients that the site will never again be available over HTTP. These can be configured either on your origin or within Property Manager.
Delivering traffic via HTTPS is a key component in securing your website and ensuring a safe secure browsing experience for your customers. With threat landscapes changing continuously, security has become a critical component of digital experiences. Ultimately, you will need to consider more mature solutions like protection from web application attacks, DDoS attacks and bots, but that’s a discussion for another post. First things first – Get HTTPS before July 2018 to ensure your site is not marked “not secure” in Chrome.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Shantanu Kedar. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/jcnMk7JbauU/make-way-for-https---starting-july-2018-google-chrome-will-mark-all-http-sites-as-not-secure.html
