Computer & Network Security
Did you know that if your website’s URL does not start with “https”, which means that it does not use any encryption, your website has been ranked lower on Google’s search engines than it should be by Google’s ranking algorithms? Additionally, starting from July 2018, Google Chrome and other browsers will mark all websites as “Not secure” if they do not have secure encrypted connections configured.
The change shown above is part of long term plan “HTTPS everywhere”, that Google had deployed a few years ago to encourage site owners to improve their website’s security. You might have noticed that since 2017, when any input onto a HTTP site is made through Chrome; the address bar would instantly display the “Not secure” notification. This will eventually transition into including a red warning sign to help raise awareness to users that their communication with a site is vulnerable to attackers, allowing them to have true insight of the level of security on the web.
Google has decided to incorporate a gradual transition to this movement for two reasons. Firstly, to grant website owners sufficient time to correctly configure their sites to HTTPS, and secondly, ingeniously protecting the public image of the red warning sign so that it would truly be an indication that a website’s security should be questioned. Furthermore, according to statistics published by Chrome, the default use of HTTPS on the top 100 sites has grown from 37 in 2016, to 81 at the start of 2018.
If you visit websites regularly or are part of an organization that owns a website, it is beneficial to understand what it means to browse the web securely. This is when a site is accessed by using the HTTP Secure (HTTPS) extension of the Hypertext Transfer Protocol (HTTP).
When a user is interacting with a website that only uses HTTP, all data that is sent back and forth between them is done so in plaintext. As a result, the need for an improvement of security during this process has led to the implementation of three main features of HTTPS:
A very troublesome situation is that of using public networks, such as the Wi-Fi in a coffee shop. If a user is communicating with a website that does not enforce HTTPS, data can be gathered by attackers using packet sniffer tools, which attempt to intercept and gather packets on a network. This allows the attacker the ability to access sensitive information in plaintext, for instance; a user’s login information. Attackers could also modify the content in transmission which could potentially trick users into downloading malware. In extreme cases in situations where no sensitive information is being communicated, attackers can still gather information revealing behaviors and identities of users.
Websites should not only be secure to protect users, but also to improve brand reputation, allowing users to trust the websites that they are accessing. Google and other search engines have been giving websites that use HTTPS a ranking boost since 2014. Therefore, if an organization wants to improve their online presence while still using HTTP, then an easy option is to upgrade to the recommended HTTPS configuration.
To assure that browsing on a specific website is done securely, web browsers all display a green padlock by the URL with the text “Secure”, followed by the URL that starts with HTTPS, not HTTP. This means that they currently have a valid SSL/TLS certificate that is officially owned by the website and is configured correctly. Otherwise, a red warning sign would be displayed with the text “Not secure”, and a line through the https text, shown below.
More information can always be found about the SSL/TLS certificates in both cases by clicking on the Secure or Not secure text, such as who the certificate is issued to, whether it is expired, and even how many bits are used for encryption.
Users should always inspect the website URL to ensure it is not attempting to impersonate another website. These sites can configure SSL/TLS certificates, but in these cases the website itself is malicious while intending to appear safe. An example of this is a phishing site called “y0urcompany.com.”, which if it said “Secure” by the URL, should not be trusted. It is important to always look at the domain name and check for any misspellings.
When migrating a website to HTTPS, many factors should be taken into consideration, therefore, the help of an expert should be available ensure an optimized configuration. The following steps are a brief description how to approach this migration.
It is recommended to use HTTPS to protect transmitted information, gain fair ranking on search engines, and improve the website’s public view of legitimacy and safety by visibly seeing the URL labeled as “Secure” and a padlock, both in green.
The use of HTTPS on websites indicates that data in transmission is protected with encryption, tampering to this data would be detected, and the site address would be authorized. This allows users to clearly see how secure their communication with websites are. The use of HTTPS requires an SSL/TLS certificate to be configured to a URL, which can be purchased for a single domain, multiple domains, or for wildcard subdomains.
Google has been strongly advising website owners to migrate their sites to HTTPS over the past few years, and these secure sites have been given ranking boosts by search engines. All websites that are using HTTP will eventually have the label “Not secure” and a warning sign, both in red by their URLs, which is even more of a reason to migrate sites to HTTPS. They have provided documentation with best practices and migration instructions along with tools to help this process, readily available online.
Create your free account to unlock your custom reading experience.