Have you noticed a sudden rash of websites flagged as “not secure?” Every browser does it a little differently, but all the latest versions of the big four (Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari) warn users about unsecured websites. Since July, Chrome has started to mark every website as either “secure” or “not secure” right next to the domain. Others, such as Firefox, warn you if a secured website has any issues with its certificate or encryption level.
Does This Mean the Internet Is Becoming More Dangerous?
Quite the opposite. In fact, more websites than ever are secure. Google tracks the number of pages loaded into Chrome (they have cool real-time charts that show the trends). The numbers differ slightly by platform, but the trend is clear. In June of 2015, 40% of web pages loaded into Chrome on Windows were secure. On September 2, 2017, the number was 63%. And as of September 1 of this year, we’re at 77%.
So, what’s driving this trend? Obviously, building a secure website seems like the right thing to do, but we all know people don’t always do what’s right. Google may have something to do with it. Security is a priority for the internet behemoth. In addition to using security measures such as strong HTTPS encryption by default on their own sites and services, Google wants the websites that people access from Google to be secure. Back in 2014, they called for “HTTPS everywhere” on the web, meaning all web communication should be secured by default. In the same year, Google also announced that it would use encrypted connections as a signal in their search ranking algorithms. SEO—now there’s incentive to secure your website.
Why The S In HTTPS Matters
HTTPS is the secure version of the protocol—Hyper Text Transfer Protocol or HTTP—over which data travels between browsers and the websites to which they connect. Historically, HTTPS was used only on sites that processed payments or other sensitive transactions, like banks or ecommerce. And even then, the entire site wouldn’t necessarily be secure. In many cases, you’d be directed to an HTTPS page just for logins or transactions that require you to then enter sensitive data.
HTTPS is often associated with encryption, but it actually provides three levels of protection:
- Authentication, which “proves” the identity of the site and protects against fake sites masquerading as legitimate businesses.
- Data integrity which ensures no one has tampered with the exchanged data while in transit.
- Encryption protects against man-in-the-middle attacks where communication between two parties is intercepted and possibly even altered.
In addition to providing security, HTTPS also supports privacy. Every unencrypted HTTP request can reveal something about the user. The information from an individual site visit may seem like no big deal, but aggregated data can build a picture of user’s behavior, intention, and identity, all of which can quickly shift into creepy territory.
Like any security control, HTTPS is an important precaution, but it isn’t perfect. Remember Heartbleed from a few years back? That was a vulnerability in OpenSSL, the open-source implementation of the SSL and TLS protocols. (Don’t worry if those TLAs—three-letter acronyms—don’t mean anything to you; the section below explains everything.) Or if a scammer finds a way to acquire a certificate that makes their fraudulent site look legitimate, the browser wouldn’t be able to flag the site as not secure. But it’s like the lock on your front door. It can be picked, but you continue to use it because it still provides an excellent level of protection against home intruders.
Technical Stuff Explained in Plain English
As mentioned above, HTTP is the protocol that defines how messages are formatted and transmitted across the web, as well as which actions a browser or web server takes in response to a command. It’s basically the “language” that browsers and websites use to communicate.
With HTTPS, an SSL/TLS encryption layer runs on top of the basic HTTP. SSL (Secure Sockets Layer) uses encryption to scramble the data as it’s being transmitted so that even if someone captures the information while in transit, they can’t read it. TLS (Transport Layer Security) is just an updated and more secure version of SSL, though the term SSL is used interchangeably nowadays.
The website proves its identity to the browser with an SSL certificate, which is a small data file that digitally binds a cryptographic key to an organization’s details. Now, anyone can create a certificate, so just the presence of one is not enough to guarantee security. Browsers look for certificates that have been issued by a certificate authority (CA), which is known to be an extremely trusted and secure entity capable of authenticating the identity of the certificate owner.
The last piece of the puzzle is the key pair. SSL certificates have a public key, which is available to anyone, and a private key which is kept secret by the owner, and these two measures work together to establish the encrypted connection. Anyone can encrypt using the public key, but only the server can decrypt using the private key, and vice versa.
Advice for Site Owners
If you have a website that isn’t currently secured and doesn’t collect or use any sensitive data, do you need to make the switch to HTTPS? The short answer is, yes. Purely from a perception standpoint, you don’t want your site and/or brand associated with the “not secure” message browsers will send your visitors. When people who don’t necessarily understand this technology see such an alert, they typically scurry back to digital safety and skip their site visit altogether. On the other hand, cybercriminals and other malicious actors look for ways to exploit any potential weakness, which means implementing HTTPS can prevent against malware on your site and protect the privacy of your visitors. And, of course, there’s the whole SEO thing. The good news is that it’s pretty easy to do and your hosting company should be able to help you take care of it.
Advice for Internet Users—Ahem, Everyone
You’re surfing around, and suddenly your browser sends a warning that the site you are trying to visit is not secure. What should you do? There’s no one-size-fits-all answer, but like anything on the internet (or in life)—you need to be smart about it. If you’re confident the site is what it claims to be, and you aren’t filling out any forms on the site, it might be fine. But under no circumstances should you ever submit any confidential or sensitive data on a site that is not secure. Hard. Stop. And it’s not enough to just look for the “S” in the URL. There are several reasons why a site may have an HTTPS URL but still be flagged as not secure. For example, SSL might be enabled, but there is no certificate or the certificate may be expired.
It’s easy to grow numb to a constant stream of security warnings, and if it seems like there are a lot of “not secure” flags being thrown up, it’s tempting to start ignoring them so you can just get to the sites you want to visit. But remember, the browsers give those warnings for a reason, so be smart and stay safe.