Does the fact that a website uses an encrypted https prefix instead of plain http matter that much?
Until fairly recently, conventional wisdom held that https was necessary only for websites that asked visitors to log in, either to buy products and services or to access hidden content.
In recent years, https connections (which use the SSL protocol or its much better successor TLS) have spread rapidly across the Internet for a number of reasons beyond simply protecting e-commerce transactions, discussed in more detail later in this article. Google recently added another to this list by announcing that the Chrome browser would start labelling non https websites as ‘not secure’ in browser address bars from version 56 which will appear in January 2017.
Google has been pushing https security since way back so this is just the latest instalment of its master-plan to raise Internet security above what is still often joke status.
The labelling won’t be subtle and will clearly stigmatise sites not using https. The first sites marked in this way will be https websites transmitting passwords (i.e. logins) or credit cards although by Google’s own estimates the vast majority of those already use https anyway.
In due course, the not secure labelling will be applied to all websites, in effect making https a new default level of security for every and any website. Google isn’t the only big name to announce such a policy (Mozilla has also made similar noises regarding Firefox) but it is the first to spell out a more defined timescale. Because Google is also the Internet’s dominant search provider means that the announcement has wider implications.
So why are Goole and others doing this? Although not a magic force field, https has become mightily important for several reasons:
Authentication: At a basic level, https creates an encrypted tunnel between the client computer browser session and a website, securing traffic between them from interception. This reduces the chances of someone carrying out a man-in-the-middle phishing attack by redirecting users to a fake version of the real site.
Data security and compliance: Using https means that data passing between a computer and a website is encrypted, including passwords and credit cards numbers. In principle, this stops hackers sniffing data as it is sent, for example via an open Wi-Fi connection.
The PCI DSS standard for card processors also demands that all card data is sent over SSL or TLS encrypted connections, so https has been a standard for e-commerce sites for some years.
Privacy: this is a more recent concern but using https also gives some (repeat some) privacy from surveillance. Anyone watching sites accessed by a user will still know they are visiting specific domains (e.g. techworld.com) because domain data is sent in the clear but won’t find it so easy to know which bits of the site are being read.
Weaknesses? The traditional issues with https were that it imposed a higher latency and was also tricky to use when so many big sites offered both https and https domains. Users could find themselves suddenly using an insecure connection without realising it.
The overhead issue is no longer noticeable (if it ever was) while the Electronic Frontier Foundation (EFF) released a tool, Https Everywhere, that defaults browsers to https connections where available as a way of making this security easier for people to manage. According to a Google survey, large numbers of brand sites now default to https anyway – Google’s Chrome announcement will doubtless make this universal in short order as nobody will want to be labelled negatively by the Internet’s most popular browser.
It’s a separate issue perhaps but the certificate system on which SSL and TLS are based has been come under attack from time to time while vulnerabilities have more recently been discovered in legacy versions of SSL. Depending on how it is implemented – and there are older and newer ways – is not invulnerable.
What about cost? This is probably the biggest issue hindering the spread of https, not helped by the way ISPs have racked up high annual charges for anyone buying the digital certificate needed to set it up.
The possibility that non-https sites will now have a stigma attached to them raises a bit of an issue as to how smaller and non-professional sites cope with the change without having their wallets emptied by hosting providers. Google has also said it plans to down-rank sites in search that don’t use https. This alone could render quickly make plain http extinct for any site that values traffic.
It is now possible to get one-off SSL certificates for nothing from one or two providers, something that will probably spread in time. Users of blog systems such as WordPress.com get the technology built into all domains hosted on the system at no extra charge (as well as having vulnerabilities on the platform patched automatically).
Google has spoken and now the Internet just has to digest the message.