Beginning next month, Google Chrome will unleash what amounts to a cattle-prod to force users to stay away from unencrypted web sites. It will mark all HTTP sites as “non-secure.” Currently, Chrome marks HTTPS-encrypted sites with a green lock icon and a “secure” sign. It will be interesting to see how they denote a web site being “not-secure.”
For the longest time, we at Marfeel have also strongly advocated that publishers switch from HTTP to HTTPS. The reasons have always been simple but quintessential, nonetheless. In addition to protecting form data, which is what most people associate with HTTPS, it keeps URLs, headers and contents of all transferred pages confidential, not to mention allows publishers to adopt the newest technology in mobile like PWAs, have accurate referrer metrics, and enjoy the SEO benefits associated with HTTPS.
People still forget that just because a site is hosted safely in one’s own account doesn’t mean it won’t travel through cables and boxes controlled by how many different corporate or state-owned entities. It creates the possibility of someone injecting scripts, images, or ad content onto your pages (and it will look like you put them there). Bad actors can change the words on your page or use your site to attack other sites. These are the kinds of things that can happen and they happen a lot. HTTPS prevents it. It guarantees content integrity and the ability to detect tampering. It just makes sense to encrypt everything on a web site. By encrypting only “secret” stuff, it puts a big target on those transmissions.
Yes, attackers can try to impersonate an HTTPS website. But as long as your private key stays private, browsers will show warnings if attackers present a mismatch or invalid TLS certification. And if the attacker does not use HTTPS, browsers should mark the imposter page as insecure. Authenticity it guaranteed by HTTPS.
As with most things technology, switching something out for security’s sake gets easier and less expensive as time goes by. HTTPS is no different. With the loading process, publishers have learned that the extensions that made their content more interactive and engaging, or ad networks that contributed to their revenue stream are NOT forfeited in favor of enhanced security protocols. Other past deterrents (cost of SSL or TLS certificates) have been remediated as has the unpleasantness due to the amount of configurations and updates required. There still may be headaches involved but you balance that with the headaches caused by having an insecure site.
The good news is that Chrome’s announcement was mostly brought on by increased HTTPS adoption. Eighty-one of the top 100 sites on the web default to HTTPS, and a strong majority of Chrome traffic is already encrypted. Chrome says the rate that sites have been migrating to HTTPS has been “awesome” and will continue to have a strong trajectory throughout 2018. Chrome believes that the balance will be tipped enough by next month so that they can mark all HTTP sites.
Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it’s safe to say that it will become a very big headache very quickly for those sites that haven’t obtained new HTTPS certs from other authorities. How big of a headache remains to be seen.