Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.
What Is HTTPS and Why Does It Matter?
HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.
In practical and technical terms, having HTTPS in front of your website URL means that:
- Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
- Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
- HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
- Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.
Naming and Shaming
Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.
Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.
The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.
According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.
What Does This Mean For Your Business?
Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.
If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.