This push for HTTPS to replace the common HTTP or hypertext transfer protocol seems to be taking root. Google has announced plans that, in essence, penalise unencrypted websites. Their new policies regarding encryption take effect in January, 2017. Though change often causes upheaval, in this case change may not be bad thing and has been brought about by necessity. Under the radar, a movement is growing that would force all websites to employ encryption. This push for HTTPS to replace the common HTTP or hypertext transfer protocol seems to be taking root. Google has announced plans that, in essence, penalize unencrypted websites. Their new policies regarding encyrption take effect in January, 2017. Though change often causes upheaval, in this case change may not be bad thing and has been brought about by necessity. To push the agenda forward, Google first drafted a proposal for the purpose of showing users that their HTTP did not provide data security.
“We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.”
Next, they announced that websites with a valid HTTPS would rank higher in their search results.
“For these reasons, over the past few months, we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal…we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
In the past, SSL certificates were considered necessary only for websites dealing with banking or e-commerce. Other types of sensitive data, such as medical records, might have been encrypted, but the average blogger or informational site had no need of the certificate.
WHAT DOES THIS MEAN FOR UNENCRYPTED WEBSITES?
So, starting in January, Google plans to display a red padlock with an “x” on websites with ecommerce or where visitors can log in that are not already secured through HTTPS. This may cause concerns about a website’s safety and increase the site’s bounce rate. The green padlock showing next to the URL visually cues the visitor that the site is secure. More and more people will learn to rely on that visual cue as they move around the web. Then later on, Google plans to mark ALL non-HTTPS pages this way sometime in the future.
“We definitely do plan to label all HTTP pages as non-secure eventually.” – Emily Schechter, Product Manager, Chrome Security at Google
THE PROS AND CONS OF USING SSL
So, what does it matter? Are there drawbacks to switching all websites to HTTPS? First, let’s take a look at the positive aspects of encryption.
SSL ENCRYPTS SENSITIVE INFORMATION AND PROTECTS IT FROM PRYING EYES
As data moves around the internet, it passes from computer to computer on its way to its final destination. Think of it like the old Pony Express system. Information travels from one server to another, where it is sent on the next leg of its journey. During each jump, the potential exists for someone to hijack the transmission. Encrypted data keeps the hijacker from making sense of the information they intercept.
ENCRYPTION PROVIDES AUTHENTICATION AND SECURITY FOR USERS
Fraudulent websites litter the internet. About the only way someone can be sure they are visiting an authentic website is by checking for their SSL certificate. Google shows trusted sites with a small green padlock next to their URL. Users know that the site has been verified and that they are interacting with a known entity. The visual cue of the green padlock creates a sense of security and visitors won’t have to dig further to find out whether or not their information is safe.
SECURE TRANSMISSION IS NECESSARY FOR PCI COMPLIANCE
E-commerce sites that accept credit cards must use an SSL certificate. To comply with audit requirements, they must prove they use encryption of customer financial data. No legitimate e-commerce site can operate with an SSL certificate unless they go through a third-party payment processor such as PayPal. In such cases, companies such as PayPal accept responsibility for the handling of customer financial information and hold the required certificates.
THE CHALLENGES OF SWITCHING FROM HTTP TO HTTPS
The primary reason most websites do not use HTTPS is cost. An SSL certificate can cost upwards of $100 and just doesn’t seem necessary for those not handling sensitive information. In 2016, the Internet Security Group, sponsored by Linux, Cisco, Mozilla, and others, began offering TSL (Transport Layer Security) encryption free of charge through participating web hosts. Even though the certificate is free, there may still be some configuration costs. The certificate is not enough. Your web designer needs to code your website so everything on it loads through HTTPS rather than HTTP. The goal of this project was to eliminate the high costs associated with SSL certificates and further the move to “encrypt the web.” While e-commerce sites will still require a higher level of encryption, these X.509 certificates being offered at no cost, meet the needs of other sites, not handling data of an sensitive nature. Overall, the move to encrypt all websites seems to be positive. HTTPS helps protect customers, and promote trust. By “forcing” website owners into compliance, Google, and the other internet giants, just might be acting in everyone’s best interests.