Sophos Cloud Optix
How do you shame an unencrypted website?
The bard might advise that your sites be foul, undigested lumps, and the developers scullions! Rampallians! Fustilarians!
Then he’d likely threaten to tickle their catastrophes and their venomous toad-tainted nonencryptiousness.
Google Chrome, on the other hand, plans to strip it down: starting in January 2017, the browser will start flagging some unencrypted sites as plain old “Not Secure.”
OK. Well. It’s a start.
The “NS” label is the first step in Google’s eventual plan to shame all sites that don’t use encryption.
On Thursday, Emily Schechter, of the Chrome Security Team, said on the official Google security blog that the first step is to flag HTTP sites that transmit passwords or credit cards.
Then, it’s on to all the other obscene, greasy tallow-catches.
Google’s been pushing toward all-HTTPS for a while now.
In March 2014, during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state, Google started using an always-on HTTPS connection and encrypting all Gmail messages moving internally on its servers.
At that time, only 50% of requests handled by Google were encrypted.
That meant that some of the web’s most trafficked locations were vulnerable: major news sites, for example, where intruders tinkering with content or spying on us could have major repercussions.
The percentage of encrypted sites has gradually climbed over the past two years. In March, Google’s Transparency Report said that it was securing 75% of our non-YouTube internet traffic.
The company also said that its aim was to hold itself accountable and to encourage others to encrypt so the web would be all that much safer for everyone.
That 75% obviously reflected progress over two years, but it still left 25% of traffic “in the clear,” as cryptographers put it.
That means that the HTTP sites aren’t using the encryption that’s commonly referred to as HTTPS. When a site’s using it, a browser’s address bar will show a padlock.
Without the S added to “HTTP” and the padlock, traffic is traveling without the encryption standard, Transport Layer Security (TLS).
It’s important to note that HTTPS isn’t only about confidentiality – which is how most people think of encryption – but also about authenticity and integrity, which in many cases are even more important.
This means that, without HTTPS, eavesdroppers can not only access the data flowing over the internet, seeing everything we do on a site, but can also intercept it and manipulate it.
When traffic is unencrypted, it opens up our online activities to anyone using the same Wi-Fi at the local coffee shop, who can steal our passwords or banking information. It also enables our online activity to be tracked and sold to advertisers by Internet Service Providers (ISPs).
It allows both governments and cybercriminals to keep an eye on what sites we’re visiting and what we’re reading, as well to alter what we see and where we go, whether that’s to censor content or to divert our banking transactions to the wrong recipients.
Beyond the uptick in encrypted traffic, there have been other improvements: Google recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS.
In addition, since February, when Google released a report on which top sites were using HTTPS, twelve more of the top 100 websites changed their serving default from HTTP to HTTPS.
As it now stands, Chrome indicates HTTP connections with a neutral indicator that doesn’t even hint at the true lack of security for HTTP connections, Schechter explained.
Here’s the plan: starting in January with Chrome 56, password or credit card form fields on non-encrypted sites will be labeled “not secure.”
Then, in following releases, those HTTP warnings will be extended: for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.
Eventually, all HTTP pages will be labeled non-secure, and the HTTP security indicator will change to the red triangle/exclamation mark that Google uses for broken HTTPS.
Sounds great, for sure, and hopefully Google will manage to do it in a way that users won’t ignore. As Google is no doubt aware, people ignore security alerts up to 87% of the time.
Google isn’t pretending that encryption is easy, but it does offer reassurances that it’s not quite as onerous, or expensive, as it’s previously been.
Google notes that encryption also enables both the best performance the web offers and powerful new features that are too sensitive for HTTP.
Google’s offering set-up guides to get started.
So, obviously, developers, be you as chaste as ice, as pure as snow, but still you turn from encryption, you shall not escape calumny. Get you to an encryptionery.
Go! Farewell! We hope to welcome you anon soon to the land of HTTPS!
LOL great work as always Lisa.
So will the Google circle turn to a triangle and go red whenever it has a security bug – like the 61 bugs in the last 60 days?
I built a website for a former employer several years ago. It is just an information site, no registration, no selling of stuff, it is just a fancy brochure for the company.
As such, we intentionally didn’t bother with purchasing SSL certs for it. They wouldn’t do anything or provide any additional benefit.
There are lots and lots of websites, especially for small business, that are similar. Does Google plan on eventually shaming them into going the encrypted route too?
You can get TLS certificates for free. So why not? It provides extra certainty to your customers. Why not prove it really is your site and not an imposter?
Another interesting thought: It’s a plot to screen out websites that aren’t run by geeks. Every two years I have to go through the exercise of getting a new cert from Provider A, copy-pasting the content into an email to web host B. There are a couple of other steps.
I’m a pretty technical guy, program in assembler and type web pages in Notepad in raw HTML, but every two years I have to go through an hour’s study to remember what to do to get the updated cert and then get it installed.
Hmm. Just wondering if it’s also a plot to get rid of stale web pages.
Invest the time in learning how to set up Lets Encrypt and you’ll only have to do it once and the certificates are free. Certificates need to be updated every few months but the process can be automated so it runs and runs.
In a couple of years we’ll all look back at the way we used to manage certificates and laugh at how primitive it all was.
While you may not see the benefit personally it helps everyone else by creating more encrypted traffic.
There are two reasons why small business brochure sites should consider TLS.
Firstly it’s an SEO ranking signal that’s easy to tick off and if you don’t do it you’re ceding a small SEO advantage to competitors who do. Secondly, and more importantly, TLS is not just about encrypting the traffic between two sites, it’s also about validating the identity of the site you’re talking to. It defends users against man-in-the-middle attacks.
Does that website have a login page? The one to login and manage content? If so, ask yourself if that username/password that is being sent to the server are encrypted? Do you still have concerns about the topic after answering that one question?
So now Google is going to penalize millions of websites on shared hosting servers (each hosting hundreds of accounts), unless we can afford to buy dedicated IP addresses and SSL certs through our hosting companies? I can see doing that if one runs an ecommerce site. But, not if it is a personal project, or affiliate referrals website, or a blog.
Have a look at LetsEncrypt. TLS certificates don’t have to cost money. If your hosting provider can’t or won’t support free certs…maybe have a look around for one that will.
My wife is a freelancer and created a small website using a web-publishing tool. She checked several and went for a cheap and easy to use one. No https, only http. She just provides basic info and offer a way to contact her. Everything else happens afterwards, offline (it is a local service). I presume there are thousands and thousands of sites like that. Also a friend narrates his travelling adventures in a non https site. He does not want to pay more or bother with technicalities (yes, he is not an IT guy, far from that, enough with managing the basics of the blog).
Why punishing people like them? We (IT security conscious guys) and them (people not interested in IT that just use it when they need) live in a different world. Impose not needed security (no payments, no recording of personal data,…) on them is probably counterproductive. In Usable Security the word usable is what makes the word security useful.
The thing is, that HTTPS isn’t that hard. It’s certainly not harder than having a website in the first place 🙂 Visits to websites *do* reveal personal data, whether you intended that or not. I hear what you’re saying about keeping it simple for people who want to run websites without caring about security…but you can also argue that if you’re going to run a website, then it’s not unreasonable to suggest that you probably ought to care about security, or find a hosting provider that cares. After all, what next? Should we exempt hobbyists “who aren’t interested in IT” (yet are interested enough to run their own websites) from privacy laws? Stop requiring them to apply patches? Tolerate them storing plaintext passwords?
You don’t get it… I am talking about websites that only give information about offline activities. They do not store passwords in the first place, just because they do not ask for them (neither for names, usernames, etc.). Yes, NSA might have it easier to spy on visitors of these websites… well, I count on NSA potentially spying on everything I do online, with or without s…
As some other commenter has said, the web is a wonderful place where everybody can publish … making that more difficult is bad for Liberty of society… Always there is a trade-off, a little more difficult for NSA to know if I like to read travelling blogs or less people creating travelling blogs just for fun? In this case I prefer to make things easier for everybody, but that’s just my opinion
What you mean when you say “I don’t get it” is that I don’t agree with your opinion that encrypting everything (so you don’t have to worry what you forgot) is an extra level of complexity that you don’t want to have to be bothered with, and therefore shouldn’t have to.
I live in a city with a lot of people, mainly students – at a very prestigious and privileged University, I must say – who demand the right to ride bicycles without ever bothering with lights even in the dead of night, although they could easily afford them and jolly well know better. The reason is that “it makes things easier” not to care about how your behaviour affects other people.
I like the example of the lights on bikes. Encrypting everything means that you must always have the lights on in your bike, day or night (just in case you forget…). What I say is that they must be compulsory only by night or in conditions of low visibility.
So, an old woman has a bike that she uses every now and then to go to the supermarket (this is real in places like Netherlands). She only goes during the day, and takes the bus if she needs to go shopping and it rains or snows or it is foggy. She never bought bike lights, she never needed them and she never bothered. Now you want to force her to go to the shop and pay (from her money) for lights that she does not need, and that she must remember to switch on when she takes the bike (even if the few times that she does that it is sunny and the lights are irrelevant) and off when she is back home.
Well, whose behaviour is affecting who here?
P.S.: I have worked (much less than you, but still a bit) in the computer security field, and I know how important it is. That is also why, in my opinion, we should really work hard in enforcing it when it is needed, and not when it is not needed, or we will be seen as stinky intruders (or hopefully using correctly an English expression, better not to try to burn a candle at both ends, in my opinion).
Yes! I want her to buy bike lights, and better yet, I want her to use them like I use mine: *always*, on every trip, day or night. (All modern rechargeable bike lights I’ve seen have a “daylight” mode.) If she can’t afford them, then social services ought to help her out, as I assume they assist her with healthcare.
Because *I’m* safer if I can see her coming along behind me. So I want her to buy lights for *me*, and for everyone else, whether she cares about herself or not. Think of it as part of *my* healthcare.
It’s the same with HTTPS. If you are smart enough to run a website (and if it’s important enough to you to want to do so), then you may as well do it properly. And encryption (providing, as Mark Stockley points out elsewhere, confidfentiality, authenticity and integrity) is no longer hard, or unusual, or intrusive.
[This thread is now closed.]
I’d love to get a free Let’s Encrypt DV certificate for my site even though it’s non-interactive and only serves static content, but in order to do so as far as I can see I’d need shell and cron on the web server. Neither are available to me unless I were to fork out for a much more expensive hosting service than the one-up-from-basic one I use. Yet if my hosting provider wanted to it would be a simple matter for them to add a button to my hosting control panel that would do it all with one click. I suspect though that the bean counters in their organisation still think they can squeeze money out of people for DV certs. We need to start a campaign to persuade them otherwise before Google starts hitting people like me by clobbering their rankings. Anyone in this situation, raise a support ticket with your hosting provider now, and tell them you’ll be looking elsewhere if you don’t get satisfaction!
HTTPS is already an SEO ranking signal.
Deprecating the amateur Web. Either pay to play or wear the scarlet “NS”. Don’t get me wrong: I’m a strong proponent of secure communications (you can find my gpg key at pgp.mit.edu), but I’m also a strong proponent of an internet that give the power of the press to the people who can’t afford to buy their ink buy the barrel. One effect of this is that SSL certs will serve as another barrier to entry into the marketplace of ideas.
If Chrome starts putting security warnings on ordinary, safe sites, that just happen to be using http, then users will be trained to ignore security warnings.
Well, it looks like our 501 (c) (3) non-profit will have to move from our current host (who probably won’t offer TLS or will offer it only with expensive certs to a somewhat more expensive company.
Or maybe this sort of thing will start pressing hosting providers to make TLS the norm and not a revenue stream?
https everywhere stopped working in chrome, was it disabled by google?
Google’s guides are for web developers. what about non-developers who use shared hosting?
By the way has anyone noticed that both Chrome & Firefox have already added a ten(10) second delay to any link that does not start with HTTPS?
While I agree that HTTPs should be used almost everywhere, several of the items in the article are not correct, technically.
1) HTTPS is still generally susceptible to MIM attacks, and nation actor states can tap in and see all “secure” traffic, and have been able to for years.
2) Your WiFi example is also bad in that the WiFi can be spoofed so that you connect to the bad guy and then they have all your data, “secure” or not (there are several ways around that).
3) As of the mid 2000’s I’ve seen malware that will sit MIM style and read everything that your “secure” site sees and all the passwords, etc. You still have to ensure your PC/Desktop/Tablet doesn’t have malware on it, and that’s getting more difficult.
4) Even though the certificate is fairly easy these days, getting apache / iis, etc setup correctly isn’t that easy. Run Qualys SSL test on MANY “secure” websites and you’ll see bad setups/configurations that can cause significant insecurities.
5) given the above, where does the “authenticity” and “integrity” fit in.
TLS is not a cure all, and let’s make that clear.
2) I don’t see how this is possible if your computer only uses trusted root certificates and you use authenticated encryption to connect to everything. Even if the wifi traffic is monitored there is nothing that can be decrypted given the data available to the wifi traffic sniffer…
5) no but that’s a start….
Hmmm, I use a vanity url but my blog is hosted on…well Google…I can’t use https because google don’t support that with vanity urls. so this will cost me money – I’ll have to move and pay for hosting – did I miss something? My blog is just that, a blog, I don’t sell or even have comments switched on on it! It’s a (currently cheap) hobby….
Great news I do think a lot of sites need to work on securing their sites and free certs can be gotten on zerossl.com.
Nice work Lisa.
The smirk on this for me is remembering a Chrome bug where people were asking for a switch like the one in the Firefox about:config where you can force it to always show the http:// protocol handler. Now Chrome is adding an alert that has almost the same functionality as a feature request that had years of refusals on it.
On a more serious note with SSL: I work for an ASP providing a public facing website where we have HTTPS, and going to the default site in plaintext does a redirect to the HTTPS – all good by these standards. We used to have one customer who connected to us via a private circuit to their central office, which from there branched out to around 500 remote offices where the end users were. All remote offices were on satellite links. I’m not sure if this was really from the satellite company or not, but we had to keep all pages for that customer on plaintext, supposedly due to the satellite links not being able to properly apply compression to HTTPS traffic. What would be the ‘encrypt all the things’ response if my understanding of this customer’s situation was correct?
“Google’s been pushing toward all-HTTPS for a while now.”
A bit strange then why half of the traffic from their own mobile apps goes to their own servers unencrypted over port 80.
Is that true? Have you measured it recently? I was under the impression that all or almost all of Google’s own app-related traffic was HTTPS.
Firefox’s approach seems more appropriate with the red strike on the padlock. It looks scarier than “Not Secure” and I guess it will be more likely to attract attention from unsuspecting users.