Embracing an encrypted future: HTTPS vs HTTP

Security

How many of us really pay attention to whether a website URL has HTTP or HTTPS at its start? How many of us know what that ‘S’ at the end means? 

If you pay attention then you’ll have noticed that over the past few years, there’s been a quiet shift in the web toward including that ‘S’. It’s been a subtle change but one that answers what’s been going on in the world around us. 

With the term “ransomware” just being added to the Oxford English dictionary and constant news about cybersecurity breaches and online interference in our governments, it might be comforting to know that the ‘S’ stands for ‘Secure’ and provides an encryption by default model for the websites that you visit.

What does that extra ‘S’ actually mean for consumers?

81 of the top 100 non-Google websites are using Hyper Text Transfer Protocol Secure (HTTPS) to make their sites a safer place for individuals. HTTPS encrypts communications that are sent between an individual’s browser and the website they’re connected to, meaning that information you submit is harder to intercept and understand. 

Adopting that extra ‘S’ reflects the change in attitude in the business world. It’s no longer just about bringing down your competitors, businesses are now focused on protecting the privacy of clients’ data, transactions and integrity of the data exchanged.

Privacy is at the tip of everyone’s tongue currently with regulations such as GDPR coming into force. But we shouldn’t just pay it lip service – and we’ll be forced not to as some of the most obvious changes to people are about to come into play. On 24th July, Google will roll out Chrome v68 to mark all sites using HTTP as “Not Secure”.

This marker is a clear way to point out to people when their communications with a site are encrypted or not. Prior to Chrome v68 the security indicator was a small easily missed (i) icon next to the website address. 

But this change hasn’t come out of the blue. For years, Google has been dangling the carrot in front of webmasters to encourage best practise. 

In 2014, Google began to rank HTTPS sites higher than HTTP in search results. In September 2016, Google announced Chrome will mark non-HTTPS sites that have a password field as “Not Secure” to ensure the website user knew their personal data is not secured. 

The ultimate goal is remove the “Secure” security indicator from HTTPS websites given encrypted traffic will become the default. 

Chrome v68 will now be the next nail in the HTTP coffin and it won’t be an isolated move. Never wanting to be left behind, other browser vendors are likely to follow suit.

Does HTTPS really make you safer?

With a number of high-profile attacks over the last year, there has been a global discussion on encryption and its role in a free society. This conversation has tied into new data protection regulations, such as GDPR, that present organizations with the chance to increase their security efforts and build a culture that upholds the need to protect customer data. 

While they still may be able to see what website you are visiting, the content exchanged will be safe. In a world of fake news, it’s reassuring to know that the extra ‘S’ means that it is harder for anyone not associated with the organization whose website you’re on to alter the information that you’re reading. 

But we must be aware that, in reaction to the increased use of HTTPS, cybercriminals and nation state actors are adapting their tactics, techniques and procedures. 

For example, scammers have been acquiring certificates that make their fraudulent websites imitate the likes of PayPal and Google to appear legitimate.

Businesses and governments alike however are more conscious than ever of the need to react to the changing threat landscape, as actors adapt and multiply. 

With a number of high-profile attacks over the last year, there has been a global discussion on encryption and its role in a free society. This conversation has tied into new data protection regulations, such as GDPR, that present organisations with the chance to increase their security efforts and build a culture that upholds the need to protect customer data. 

By embracing best practices – such as the shift to HTTPS - they can look to ensure that the intellectual properties of individuals are protected in a hyper-connected world. 

What does it all mean at the end of the day?

As I review popular websites, I find that many login pages already use HTTPS but the homepages of those same websites are still using HTTP.  This includes banks, retail sites and travel sites. It is clear that webmasters still have work to do – and this isn’t just something that you need to think about if you own a business. 

How many of us volunteer at a local charity or are part of the PTA at our kid’s school? Even those basic websites will need to start migrating over to HTTPS and it does have an impact. 

For starters, there is a cost associated with moving to HTTPS – it’s not a lot, but if you’re working to a tight budget, this is something that you’ll need to consider. 

Secondly, it does take some knowledge of website building to be able to make this shift – skills that not all of us have and smaller organizations are less likely to have easy access to. The good news is that tutorials do exist.

This trend isn’t something that will go away overnight. I believe it will be Google’s eventual browser feature to red flag all HTTP pages as “Not Secure” while reducing the security indicators on HTTPS websites due to the extra level of encryption deployed. 

This means that the anomaly of a HTTP page will be very apparent to end users, marking a significant shift in user behavior and preference to the perceived safer HTTPS. However, nothing that is connected to the web can ever be totally safe from threat actors as they constantly look for new ways to get in. 

So please, do not place your trust blindly in that extra “S” and stay vigilant with data that you share. 

  • Carl Leonard is a Principal IT Security Analyst at Forcepoint