Q&A: Here’s how Google’s labeling HTTP websites “Not Secure” will strengthen the Internet

In a move to blanket the Internet with encrypted website traffic, Google is moving forward with its insistence that straggling website publishers adopt HTTPS Secure Sockets Layer (SSL).

Related: How PKI can secure IoT

Google’s Chrome web browser commands a 60% market share. So the search giant has been leading the push to get 100% of websites to jettison HTTP and replace it with HTTPS. The former – Hypertext Transfer Protocol – standardized the way web browsers fetch a web page from its host server and thus made the world wide web as we know it today possible.

But HTTP connections are carried out in plain text. This makes it trivial for eavesdroppers to snatch plain-text communications, such as when users fill out forms on web pages or use shopping carts or conduct online banking. This makes any personal information and details of financial transactions typed on HTTP web pages easy pickings.

So along came SSL and its successor, Transport Layer Security (TLS), the underpinnings of secure online transactions. SSL and TLS come into play in the form of digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

The PKI (public key infrastructure) encryption protocol makes all this happen instantaneously, triggering a visual confirmation – the tiny green padlock preceding the HTTPS address in Chrome’s address bar.

With the release its Chrome 68 browser on July 24, any web page not running HTTPS with a valid TLS certificate will display a “Not Secure” warning in Chrome’s address bar.

Mozilla and Microsoft have signaled that they each will implement similar distrust events for Firefox and Edge (formerly Internet Explorer) in the near future.

It’s true that most financial services and big-name shopping websites have long ago moved to HTTPS. W3Techs’ June 2018 survey shows that 35 percent of the top 10 million websites have adopted it.

Rowley

However, millions of smaller, less-trafficked websites, as well as countless corporate/private intranet sites, still rely on HTTP – and all of the unencrypted traffic generated by HTTP pages can be rather easily accessed by any self-taught hacker.

Last Watchdog recently asked Jeremy Rowley, DigiCert’s EVP of product, to supply the wider context behind Google’s push. DigiCert supplies SSL/TLS certificates and other PKI solutions for securing web traffic and the Internet of Things. Here are excerpts of my discussion with Rowley, edited for clarity and length:

LW: What’s the fundamental rationale for making HTTPS a de facto web standard?

Rowley: Everyone using the Internet should have their information protected by default, at all times. Using HTTP exposes you to a high risk of your information getting stolen by a man-in-the-middle attack.

Deploying HTTPS everywhere makes sense because you’re always transacting information with whichever website you happen to be visiting. Using HTTPS secures that information. This is a  community effort. Sure most sites are secure, but if millions of websites continue to have information leaking out there on the Internet, then it damages the ecosystem as a whole.

LW: Google really has taken the bull by its horns on this issue.

Rowley: Google has been monitoring this for a long me, and at one point they decided that there was enough secure traffic that they might as well take the extra step and push everybody in this direction. For now they’re displaying the ‘Not Secure’ warning on HTTP sites. Eventually, all of the browsers are going to just block HTTP traffic and require only secure HTTPS connections.

LW: So we’re talking about a big step forward.

Rowley: The Chrome 68 update will hopefully spur the millions of sites still using HTTP to adopt HTTPS. We urge IT administrators to check the sites they look after and deploy the appropriate TLS certificates.

Some administrators may think they don’t need certificates on all of their pages, but incorrect configuration and deployment will still lead to the ‘Not Secure’ warnings within Chrome.

LW: How big a hassle is this for the stragglers to deal with?

Rowley: It’s fairly easy. You go can click through a couple of steps on our website to order a certificate. The background check takes us about an hour to verify the certificate request’s authenticity. After we’ve done that authentication piece, we issue the certificate and help you put it on your webserver. Once it’s there, you’re good to go; you’ll have HTTPS enabled for all transactions.

We offer several free tools to help you do all of this, from requesting a certificate to installing it.  We also have free tools for certificate management to help administrators stay up-to-date on best practices and reduce the chances of a certificate being neglected or mismanaged.

LW: How soon do you expect Firefox and Edge to do something like this?

Rowley: All of the browsers will move this way, eventually. I’m sure they’re all measuring encrypted vs. non-encrypted traffic and when they reach a certain point, you’ll see them start issuing warnings, and eventually blocking all non-secure connections.

LW: If I’m a straggler, why else should I do this, besides the threat of my site getting labeled ‘Not Secure’ by Chrome?

Rowley: The biggest benefit is you don’t get your customers’ information stolen. If your start losing customer information, people are not going to come back to your website.

Besides encryption and authentication of website traffic, digital certificates can boost SEO rankings, reduce bounce rates, and help minimize abandoned shopping carts.

(Editor’s note: Last Watchdog has supplied consulting services to Bitdefender.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/qa-heres-how-googles-labeling-http-websites-not-secure-will-strengthen-the-internet/