As Google’s plan to move the entire web to HTTPS by default draws near, your website needs to be fully migrated to “HTTPS Everywhere” to avoid displaying a “Not secure” indicator in your address bar. This indicator is designed to help users determine if your website is encrypted.
Set for release in July 2018, Chrome 68 is part of Google’s progressive plan to promote a more secure web for all users by achieving HTTPS Everywhere. Another plus with this move is that HTTPS promises to “unlock both performance improvements and powerful new features that are too sensitive for HTTP,” according to a recent Chromium blog post.
The depth of a full migration to HTTPS Everywhere extends far beneath the surface of simply encrypting a website’s home and transactional pages. Although not limited to marketing activity, this migration is also significant to marketers who generally rely on third-party applications for content delivery. This post focuses on some of the items websites need to address ahead of the Chrome 68 release. Let’s take a look at what this means.
Secure content that is served up in an unsecure environment is vulnerable to an attack. Even though your website might be encrypted, content that is distributed through your website via a third party might not be. For this reason, websites need to update all external links to avoid the “Not Secure” indicator. Here are some examples of marketing-related items that need to be audited for SSL/TLS security:
- IFrames – Both HTML documents and the content embedded within them from another source need to be encrypted. Check your advertisements and images.
- Backlinks – If you rely on backlinks to support SEO strategy, ensure that all backlinks are sourced from HTTPS URLs.
- Social Media – Crosslinks with social media outlets need to be encrypted on your end and theirs.
- Website Tools — Used for email marketing, marketing automation, landing page generators, etc. all need to be encrypted.
- Transactional Emails – Email communications also need to be secured. Test your communication processes for secure welcome messages, invoices, forgotten passwords, etc.
- Cross-links – Can be sourced from company web pages or from a third-party. Encryption needs to be in place regardless of source, some examples include:
- Listings in Authoritative Directories
- Marketing Assets: PDFs, images, etc.
This list is in no way exhaustive. Your website likely has other items that lie either inside or outside of marketing related activity that also need to be addressed.
Content Delivery Network (CDN)
Make sure your CDN supports SSL. Contact your CDN provider to find out whether they can enable SSL setup on your CDN subdomain.
Next steps for Marketers
The path to achieve HTTPS Everywhere requires action by all website administrators who have not already migrated. For a more comprehensive discussion on migrating your IT ecosystem to HTTPS, please grab your IT administrator and register now for our best practices webinar.
WEBINAR: The Path to HTTPS Everywhere, Chrome 68 – Are You Ready?
HOST: Mark Giannotti, Technical Consultant, Entrust Datacard
DATE: Wednesday, May 30 at 11:00 AM EST
*** This is a Security Bloggers Network syndicated blog from Entrust Datacard Blog authored by Entrust Datacard Blog. Read the original post at: https://www.entrustdatacard.com/blog/2018/may/the-tipping-point-for-https-is-closing-in