Google's war on HTTP

Google's War on HTTP

Some time ago Google made a comment in which they said they would name & shame websites that operated on an unencrypted connection. A strategy that was designed to spur developers into using and embracing the HTTPS encryption. Google are now two years later following through with this pledge!

Since the launch of Chrome 68 Google will now flag websites with unencrypted connections as ?Not Secure? in the address bar of your browser. Pages that have a valid SSL certificate and a secure connection will feature a green padlock and the word ?Secure? allowing the user to see that the connection to the website or application is secure and data entered on the website is safe.

Bare in mind that Google has done this with the users security in mind, any information sent over a HTTP connection can be intercepted by a hacker in something called a 'man in the middle attack'. People can also pose as other websites tricking you into handing over personal information such as your personal credentials, credit card information or other sensitive data. When browsing over a HTTP connection your ISP and anyone else willing to take the time to breach your connection can see which site you're on and more specifically which page you are on. However with a HTTPS connection this is not the case, a massive benefit for more adult websites such as websites with 'adult' content or gambling related websites.

Encryption is something that users should expect by default?? Chrome Security product manager, Emily Schechter

Progress?

Putting a warning onto websites that don't operate over a secure connection is just a small part of a much larger plan. In january 2017, Chrome put a warning on sites that asked for credit card details. Several months later they insituted it on HTTP in incognito windows.

Even though Google are leading the way in the war on site security, it's not without critique from others. Dave Winer, developer and one of the creators of RSS doesn?t agree with Google imposing it's agenda on all users on the web.

The fact is they are forcing it. They?re just the tech industry. The web is so much bigger than the tech industry. That's the arrogance of this

Winer?s main concern is that by forcing HTTPS adoption on this scale and penalising sites that don?t embrace it will ultimately affect web developers who don?t the resources to implement it, creating a virtual cordon to older parts of the internet. Winer believes that Google won?t stop here, and that this is just the first phase of their war on HTTP.

Was this the only way to achieve this end? Because this is draconian. If this were done properly, it would have been deliberated, and a lot of people who aren't in the tech industry would have had a say in it.

Chrome aren't alone

Chrome is not alone when posting warnings next to HTTP websites, Firefox has also explored this method. Between both Chrome and Firefox they control a massive 73% of browser market share. Google have noted that the majority of traffic (76% on android and 85% on ChromeOS) aldready travel across a HTTPS connection. Gains have come not only from Google by by large hosting sites like Wordpress, Squarespace and infrastructure companies like Cloudflare & Let?s Encrypt. Let's Encrypt provide free SSL certificates that enable HTTPS connection to all websites.

Two years ago only 37 of the top 100 websites used HTTPS, however now that figure is vastly different with a whopping 83 out of the 100 top websites adopting the HTTPS method.

Expecting every website to enable HTTPS would have been unreasonable prior to the existence of Let?s Encrypt, which lowers financial, technical, and educational barriers to enabling HTTPS. Josh Aas, Cofounder of internet security group, the organizers behind.

Summary

This is just one part of Google's ongoing plan to promote the use of HTTPS across the web. Google have plans in September to remove the 'Secure' wording next to the padlock in the adress bar on HTTPS websites because it feels that by this point it should be a largely default posture online. In October if you attempt to enter any personal data into a website that is operating on HTTP Chrome will display a 'not secure' warning in red to the user. The internet is still full of a wide variety of dangers and things that can harm you. Google's push on HTTPS will at least put your mind at rest knowing that any data sent to a website is secure and safe for the user, because if it isn't? Chrome will be there to let you know.

As a web development agency we believe that the push on HTTPS is a great thing, with the implementation of systems such as Let?s Encrypt we feel that it?s very easy nowadays for all users to have an SSL on their website. All of our websites are built as default with an SSL to make sure that data transmitted from the user is safe 100% of the time they are on any of our client's websites.

Author: Nathan Langer
Category: Google Chrome
Post Tags: Google Chrome, Chrome 68, HTTPS, SSL, Security