HTTP vs HTTPS: Will the World Follow Google?
Mon, 08/20/2018 – 12:53
Data sent via the HTTPS protocol is encrypted to keep it secure from commercial and private hackers. It can’t be modified or corrupted while in transit and it authenticates by proving that your users are engaged with the intended website.
There are also implications from the marketing perspective. Making the switch to HTTPS helps with the loss of referral data that happens when the referral value in the header is dropped when switching from a secure website to an unsecured website. Analytics programs attribute traffic without the referral value as direct, which accounts for a large portion of “dark traffic”.
Despite the strong move towards a secure cyberspace, only about 80% of Chrome traffic on Chrome OS and Mac is now protected. The number dips by a further 10% when it comes to Chrome traffic on Android and Windows. This number is astonishing taking into consideration that HTTPS protocol has been around since as early as 1995, when it was called Secure Socket Layer (SSL).
3 Main Reasons to Enforce HTTPS
The benefits of enforcing HTTPS are quite clear. Data sent using HTTPS is secured via the Transport Layer Security protocol (TLS), which provides three key layers of protection to the end user, eventually boosting privacy levels./p>
- Encryption: Encrypting the exchanged data to keep it secure from malicious attackers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
- Data Integrity: Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication: Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust. For example, there was a time when AT&T was injecting ads via their hotspots. This would not be possible on HTTPS websites.
As mentioned earlier, most places like hospitals, schools, colleges and airports have already made the move to the new and secure HTTPS protocol. But does that mean the website visitors are now safe? Is this just a “one-and-done” move?
Automation – Take Web Security to the Next Level
HTTPS is referred to as a secure protocol and many people they think it protects their website completely. Moving to HTTPS will make it harder for attackers to hijack your traffic, but it is not completely bulletproof and does not guarantee security. You may still be vulnerable to SSL/TLS vulnerabilities, downgrade attacks, server hacks, DDOS attacks, and other software vulnerabilities.
Malicious attackers often misuse SSL/TLS to hide their exploits to escape detection and bypass critical security controls. These “blind spots” undermine conventional security mechanisms and create a high risk of data theft. Once compromised, hackers can leverage SSL tunnels to plant malware into your network, hide command-and-control traffic, and harvest private information.
Numerous security systems today perform high speed SSL/TLS decryption, but these systems rely heavily on having access to your keys and certificates. This requires a thorough mapping, updating and distribution of your certificates, something that is often not done properly due to technical limitations.
This is where automation comes in. By automating your key and certificate security, you can eliminate most “blind spots” that may arise. With this strategy, you can also maximize the amount of encrypted traffic you can decrypt and inspect, effectively minimizing the possibility of data theft and cybercrime.
To sum it up, Google’s aforementioned move is definitely a step in the right direction. But it’s important to understand that the HTTPS protocol is just the first layer of defense. Everything has to be optimized and integrated into your security infrastructure to really fix all loopholes. Stay safe!
Starting at the end of July, people who visit your website using the Google Chrome browser will be seeing a note near your web address flagging your website as “unsecure” if it uses the old HTTP format rather than the HTTPS format commonly seen on ecommerce sites and large media websites today.
*** This is a Security Bloggers Network syndicated blog from Rss blog authored by Scott Carter. Read the original post at: https://www.venafi.com/blog/http-vs-https-will-world-follow-google