Google begins HTTP rollup – is your business ready?
Chrome browsers will begin to mark http sites as insecure over the coming weeks - what does this mean for businesses, and what tools are out there to test your SSL implementation?
Google has announced an earlier rollout than planned to new HTTPS-focussed stance, which will gradually impact on all web users.
The search giant has been cracking down on non-encrypted, HTTP-only traffic for some time, by gradually tweaking the Chrome browser and by upweighting sites with HTTPS in Google search results.
This most recent development concerns Chrome browser users (73.8 per cent of overall internet users in November 2016), and will see the browser display a “Not Secure” warning for HTTP password and credit card pages as standard.
The move is likely to drastically increase the number of enterprises using HTTPS as default, although the latter group mentioned by Google - credit card pages - should already be secured under PCI DSS legislation.
The company said in a blogpost: “Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting in version 56, Chrome will mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure. The feature will roll out gradually over the next few weeks.”
The beta release is available now, and will be pushed out to the general public by January 2017.
What isn’t clear from the details Google has released is whether there will be sanctions against poorly implemented SSL coming down the pipeline. Given Google’s consistent insistence that the move is specifically designed to improve security for users, it’s unlikely that untrusted certificates will hold up for long, for example.
Whether it is down to Google and other giants driving the change, or whether they are tapping into the undercurrent themselves, HTTPS traffic is on the rise by almost every measure - BuiltWith’s “SSL By Default” report below shows just how rapid default adoption has been, nearly doubling in the last 12 months alone.
Meanwhile, statistics from High-Tech Bridge’s own free SSL testing tool (which unsurprisingly has never been more popular) show a trend towards better, more secure implementations too.
In the last month, 51.4 per cent of SSL/TLS configurations on web servers tested have been compliant with PCI DSS requirements, but back the timescale up 12 months, and the compound figure is 37.6 per cent - a 13 per cent improvement over a year. Obviously that’s not intended to be a fully scientific figure, given the compound nature of these stats but with six month compliance at 44.9 per cent, and three months at 49.9 per cent, the overall trend is clear enough.
Ilia Kolochenko, High-Tech Bridge CEO, clarified the security detail behind the PCI standard: “The most important part of the PCI DSS dedicated to HTTPS encryption is described in requirement 4.1. There are several standard-specific requirements, for example every SSL certificate must be valid and signed by a trusted CA. Insecure protocols, such as SSL (any version) or early TLS (1.0) without mitigation plan are not allowed by PCI DSS neither. In terms of allowed cipher suites and other more technical aspects of encryption, PCI DSS rather refers to NIST SP800-52r1 or OWASP.
“Another important point that is not directly related to the encryption weaknesses, but rather to encryption implementation are various vulnerabilities that may affect HTTPS servers within the CDE scope. Good examples are OpenSSL's Heartbleed or padding-oracle (CVE-2016-2107) flaws - PCI DSS compliance fails if your system is vulnerable to a security vulnerability with CVSS score higher than 3.9.”
Also keep in mind that in addition to the above-mentioned requirements for encryption, you must meet a lot of other security requirements from all the 12 sections of PCI DSS, which is a pretty comprehensive standard.”
Indeed - whether it’s down to the PCI Security Standards Council, Google, or general altruism, properly implemented HTTPS is very much the future of the web. Is yours up to scratch? Find out here: https://www.immuniweb.com/ssl/