The countdown has begun. In February 2018 Google announced that, as of July 2018, Chrome v68 will mark HTTP websites as “Not Secure”. This push by Google has been a long time coming as they and other vendors make a push for “encrypted by default” or “HTTPS everywhere”. We reviewed the implications of the web moving towards encryption by default in our 2018 Security Predictions.
According to Google’s own statistics 81 of the top 100 websites use HTTPS by default. This number is set to increase over the next few months.
I predict this browser release will spur many organisations to make the push to HTTPS as they seek to encourage (or rather not discourage) their customers or prospective clients from interacting with their website.
As I review popular websites I find that many login pages already use HTTPS but the homepages of those same websites are still using HTTP. This includes banks, retail sites and travel sites. Is your website one of those? It is clear that webmasters still have work to do.
(A note from the blog author: While Google’s release dates and features are subject to change it is still worthwhile adopting HTTPS on your website to protect your client's privacy sooner rather than later. You should also evaluate the implications of the web moving to encryption by default and what this means for visibility of your network traffic).
The build up to “Not Secure”
For years Google has been dangling the carrot in front of webmasters to encourage best practise. In 2014 Google began to rank HTTPS sites higher than HTTP in search results. In September 2016 Google announced Chrome will mark non-HTTPS sites that have a password field as “Not Secure” to ensure the website user knew their personal data is not secured. We now have the next nail in the HTTP coffin as Google announced in February 2018 that as of 24 July 2018* Chrome v68 will mark sites using HTTP as “Not Secure”. Other browser vendors are likely to follow.
Why is HTTPS a good thing?
I probably don’t need to say it here but the migration to HTTPS is a good thing as businesses seek to protect the privacy of clients’ data, transactions and integrity of the data exchanged. As an increasing set of privacy-related regulations come into force (for example, GDPR on May 25) it has never been more important for organisations to demonstrate to auditors, compliance officers and supervisory authorities that they take privacy and security seriously.
What is the user experience?
The Chromium blog explains how Chrome users will be presented with a “Not Secure” notice in the address bar.
Screenshot from Chromium’s blog:
What are the implications and the impact to privacy?
As HTTPS becomes the norm we will see changes in user behaviour as they encounter HTTP and HTTPS-enabled websites. I also hope we shall see changes in adoption of HTTPS across the web.
I predict that use of HTTP on a website will be associated with poor security practice. Users encountering websites that have not migrated to HTTPS will consider other options (i.e. competing services).
I anticipate that users will experience HTTPS-fatigue. While nowadays the use of HTTP stands out as being an in-secure of transmitting data there will no longer be that distinction afforded by the address bar as legitimate business and attackers move to HTTPS. This will be even more apparent when HTTPS is everywhere.
The ubiquity of HTTPS could discourage users from examining certificates before using a website; certificates that could have been stolen by malicious attackers or generated legitimately by attackers. This might not be so much of a problem as in reality we appreciate that the average user probably doesn’t already.
As organisations see the ratio of HTTPS to HTTP traffic increase following wider adoption of HTTPS they will struggle to identify the potential risk being posed by encrypted traffic. Data transmitted over secure channels or connections made to command & control servers would remain uninspected due to businesses not adopting the technology to make such assessments. Having such material slip under the radar is not acceptable.
Websites that deliver mixed content (hosted on HTTPS and HTTP) will likely struggle to migrate all HTTP content (or persuade their providers to do so). This is a good a time as any to start that review and initiate the migration although Firefox has presented mixed content warnings to users since version 23, and Internet Explorer since version 9.
Besides these inconveniences the move to HTTPS is a fantastic stride in the right direction as the focus is put on enhancing privacy and security.
For further information on the implications of encryption by default you can read our 2018 Security Predictions that explained how we believe malicious attackers and organisations will respond.
Top tips to mitigate
- Be sure to monitor the releases timings of Chrome v68 so you know when the change will occur via https://www.chromestatus.com/features/schedule
- Migrate your website to HTTPS as opposed to HTTP otherwise Chrome will mark it as “Not Secure” during July, assuming users upgrade to v68 of course and we know they will not straightaway.
- Consider enhancing your visibility of every-increasing HTTPS traffic moving through your network. SSL Inspection modules added to your secure web gateway will help.
I wish you well on your journey to “encrypted by default”.