The following is a guest post by Troy Hunt, awarded Security expert, blogger, and Pluralsight author. He’s also the creator of the popular Have I been pwned?, the free aggregation service that helps the owners of over 5 billion accounts impacted by data breaches.
I still clearly remember my first foray onto the internet as a university student back in the mid 90’s. It was a simpler online time back then, of course; we weren’t doing our personal banking or our tax returns or handling our medical records so the whole premise of encrypting the transport layer wasn’t exactly a high priority. In time, those services came along and so did the need to have some assurances about the confidentiality of the material we were sending around over other people’s networks and computers. SSL as it was at the time was costly, but hey, banks and the like could absorb that given the nature of their businesses. However, at the time, there were all sorts of problems with the premise of serving traffic securely ranging from the cost of certs to the effort involved in obtaining and configuring them through to the performance hit on the infrastructure. We’ve spent the last couple of decades fixing these shortcomings and subsequently, driving site owners towards a more secure web. Today represents just one more step in that journey: as of today, Chrome is flagging all non-secure connections as… not secure!
I want to delve into the premise of this a little deeper because certainly there are those who question the need for the browser to be so shouty about a lack of encryption. I particularly see this point of view expressed as it relates to sites without the need for confidentiality, for example a static site that collects no personal data. But let me set the stage for this blog post because we’re actually addressing a very fundamental problem here:
The push for HTTPS is merely addressing a design flaw with the original, unencrypted web.
I mean think about it – we’ve been plodding along standing up billions of websites and usually having no idea whether requests are successfully reaching the correct destination, whether they’ve been observed, tampered with, logged or otherwise mishandled somewhere along the way. We’d never sit down and design a network like this today but as with so many aspects of the web, we’re still dealing with the legacy of decisions made in a very different time.
So back to Chrome for moment and the “Not secure” visual indicator. When I run training on HTTPS, I load up a website in the browser over a secure connection and I ask the question – “How do we know this connection is secure”? It’s a question usually met by confused stares as we literally see the word “Secure” sitting up next to the address bar. We know the connection is secure because the browser tells us this explicitly. Now, let’s try it with a site loaded over an insecure connection – “How do we know this connection is not secure”? And the penny drops because the answer is always “We know it’s not secure because it doesn’t tell us that it is secure”! Isn’t that an odd inversion? Was an odd inversion because as of today, both secure and non-secure connections get the same visual treatment so finally, we have parity.
But is parity what we actually want? think back to the days when Chrome didn’t tell you an insecure connection wasn’t secure (ah, isn’t it nice that’s in the past already?!); browsers could get away with this because that was the normal state! Why explicitly say anything when the connection is “normal”? But now we’re changing what “normal” means and in the future that means we’ll be able to apply the same logic as Chrome used to: visual indicators for the normal state won’t be necessary or in other words, we won’t need to say “secure” any more. Instead, we can focus on the messaging around deviations from normal, namely connections that aren’t secure. Google has already flagged that we’ll see this behaviour in the future too, it’s just a matter of time.
Let’s take a moment to reflect on what that word “normal” means as it relates to secure comms on the internet because it’s something that changes over time. A perfect example of that is Scott Helme’s six-monthly Alexa Top 1M report. A couple of times a year, Scott publishes stats on the adoption of a range of different security constructs by the world’s largest websites. One of those security constructs is the use of HTTPS or more specifically, sites that automatically redirect non-secure requests to the secure scheme. In that report above, he found that 6.7% of sites did this in August 2015. Let’s have a look at just how quickly that number has changed and for ease of legibility, I’ll list them all below followed by the change from the previous scan 6 months earlier:
- Aug 2015: 6.7%
- Feb 2016: 9.4% (+42%)
- Aug 2016: 13.8% (+46%)
- Feb 2017: 20.0% (+45%)
- Aug 2017: 30.8% (+48%)
- Feb 2018: 38.4% (+32%)
That’s an astonishingly high growth rate, pretty much doubling every 12 months. We can’t sustain that rate forever, of course, but depending on how you look at it, the numbers are even higher than that. Firefox’s telemetry suggests that as of today, 73% of all requests are served over a secure HTTPS connection. That number is much higher than Scott’s due to the higher prevalence of the world’s largest websites implementing HTTPS more frequently than the smaller ones. In fact, Scott’s own figures graphically illustrate this:
Each point on the graph is a cluster of 4,000 websites with the largest ones on the left and the smallest on the right. It’s clear that well over half of the largest sites are doing HTTPS by default whilst the smallest ones are much closer to one quarter. This can be explained by the fact that larger services tend to be those that we’ve traditionally expected higher levels of security on; they’re e-commerce sites, social media platforms, banks and so on. Paradoxically, those sites are also the ones that are less trivial to roll over to HTTPS whilst the ones to the right of the graph are more likely to literally be lunchtime jobs. Last month I produced a free 4-part series called “HTTP Is Easy” and part 1 literally went from zero HTTPS to full HTTPS across the entire site in 5 minutes. It took another 5 minutes to get a higher grade than what most banks have for their transport layer encryption. HTTPS really is easy!
Yet still, there remain those who are unconvinced that secure connections are always necessary. Content integrity, they argue, is really not that important, what can a malicious party actually do with a static site such as a blog anyway? Good question! In no particular order, they can inject script to modify the settings of vulnerable routers and hijack DNS, inject cryptominers into the browser, weaponise people’s browsers into a DDoS cannon or serve malware or phishing pages to unsuspecting victims. Just to really drive home the real-world risks, I demo’d all those in a single video a couple of weeks ago. Mind you, the sorts of sites for whom owners are questioning the need for HTTPS are precisely the sorts of sites that tend to be 5-minute exercises to put behind Cloudflare so regardless of debates about how necessary it is, the actual effort involved in doing it is usually negligible. Oh – and it’ll give you access to HTTP/2 and Brotli compression which are both great for performance and only work over HTTPS plus enable you to access a whole range of browser features that are only available in secure contexts.
Today is just one more correction in a series that’s been running for some time now. In Jan last year it was both Chrome and Firefox flagging insecure pages accepting passwords or credit cards as not secure. In October Chrome began showing the same visual indicator when entering data into any non-secure form. In March this year Safari on iOS began showing “Not Secure” when entering text into an insecure login form. We all know what’s happened today and as I flagged earlier, the future holds yet more changes as we move towards a more “secure by default” web. (Incidentally, note how it’s multiple browser vendors driving this change, it’s by no means solely Google’s doing.)
Bit by bit, we’re gradually fixing the design flaws of the web.
A Note from Cloudflare
In June, Troy authored a post entitled “HTTPS is Easy!,” which highlights the simplicity of converting a site to HTTPS with Cloudflare. It’s worth noting that, as indicated in his post, we were (pleasantly) surprised to see this series.
At Cloudflare, it’s our mission to build a better Internet, and a part of that is democratizing modern web technologies to everyone. This was the motivation for launching Universal SSL in 2014 – a move that made us the first company to offer SSL for free to anyone. With the release of Chrome 68, we want to continue making HTTPS easy, and have launched a free tool to help any website owner troubleshoot common problems with HTTPS configuration.