Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development

Google Set to Name and Shame Sites Lacking HTTPS

Heads up, internet land: Come July, Google Chrome will mark every site that does not use HTTPS encryption as "not secure."

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

Hyper Text Transfer Protocol Secure - HTTPS - better secures client/server communications by making SSL/TLS encryption the default protocol for accessing all pages on a site.

"Security needs to be a default in the cloud." 

Using HTTPS - especially with TLS - helps prevent outsiders from eavesdropping on communications or launching man-in-the-middle attacks.

Google says it's been applying pressure to get more sites to begin using HTTPS.

"For the past several years, we've moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption," Emily Schechter, Google's Chrome security product manager, says in a Thursday blog post. "And within the last year, we've also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as 'not secure. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as 'not secure.'"

Many information security experts, including security and privacy consultant Jessy Irwin, have applauded Google's move.

I, for one, am super down for the @googlechrome folks marking non-HTTPs sites as insecure

A secure web is here to stay https://t.co/NdeFZqybvp

— Jessy Irwin (@jessysaurusrex) February 8, 2018

Plug-ins are already available for many browsers, including Mozilla Firefox, that are designed to alert users when they're visiting a site via just HTTP. But it's not clear how quickly browsers beyond Chrome might also do this by default.

Life Since 2010

The shift to HTTPS is well underway.

At first, however, many worried that the extra processing power required to drive encryption might "slow down connections only slightly," as Facebook warned in 2012 when it finally adopted HTTPS by default, having already used it to secure pages that required a username or password. Although as security expert Ivan Ristic noted at the time, Facebook continued to offer "an opt-out for the crazies."

Facebook was following in the footsteps of Google, which in January 2010 made HTTPS the default for all access to Gmail.

Two months later, Pamela Jones Harbour, the outgoing commissioner of the U.S. Federal Trade Commission, called on large internet services, such as Microsoft's Hotmail, Facebook and Yahoo, to also begin using HTTPS. "Security needs to be a default in the cloud," she said.

And by July 2012, Google was reporting that it had seen almost no performance hit due to enabling HTTPS. Shortly thereafter, Twitter and Hotmail also began using HTTPS by default.

Current HTTPS Adoption

Since then, the move to HTTPS appears to be progressing well. Google says users of its Chrome browser are finding HTTPS:

• 68 percent of the time when using Android and Windows.
• 78 percent of of the time when using Mac OS X, iOS and Chrome OS.

Google says 81 of the top 100 websites - based on traffic volumes - use HTTPS by default.

Google Offers Open Source Lighthouse

Many websites, however, have been kludged together over the years, which can make it difficult to trace when resources are being loaded using HTTP instead of HTTPS.

To help, Google's Schechter recommends the latest Node CLI version of the automated improvement tool for developers called Lighthouse. The open source tool is designed to help developers improve and maintain the quality of a web app.

"The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version," Schechter says.

Regardless of the tools developers use to help them build more secure sites, the writing is clearly on the wall: The future is HTTPS.