Research shows that 81 of the top 100 non-Google websites are using Hyper Text Transfer Protocol Secure (HTTPS) to make their sites a safer place for individuals. HTTPS encrypts communications that are sent between an individual’s browser and the website they’re connected to, meaning that information submitted is harder to intercept and understand.
Adopting that extra ‘S’ reflects the change in attitude in the business world. It’s no longer just about keeping up with competitors; businesses are now focused on protecting the privacy of clients’ data, transactions and integrity of the data exchanged.
Christo van Staden, Forcepoint Regional Manager: Sub-Saharan Africa, says privacy is at the tip of everyone’s tongue currently, with regulations, such as GDPR and PoPI coming into force and the dust only just settling from the recent Cambridge Analytica scandal on 24th July, Google rolled out Chrome v68 to mark all sites using HTTP as “Not Secure”.
This marker provides a clear signal to end users as to whether their communications with a site are encrypted or not. Prior to Chrome v68, the security indicator was a small and easily missed (i) icon next to the website address. But this change hasn’t come out of the blue. For years, Google has been encouraging webmasters to implement best practices when it comes to security.
In 2014, Google began to rank HTTPS sites higher than HTTP in search results. In September 2016, Google announced Chrome will mark non-HTTPS sites that have a password field as “Not Secure” to ensure the website user knew their personal data is not secured. The ultimate goal is to remove the “Secure” security indicator from HTTPS websites, given encrypted traffic will become the default.
Chrome v68 is another nail in the HTTP coffin and it won’t be an isolated move. Not wanting to be left behind, other browser vendors will likely follow suit.
“How many users pay attention to whether a website URL has HTTP or HTTPS at its start? How many know what that ‘S’ at the end means? Over the past few years, there’s been a quiet shift in the web toward including that ‘S’. It’s been a subtle change, but one that is a direct result of what’s been going on in the world around us,” he adds.
With the term “ransomware” just being added to the Oxford English Dictionary and constant news about cybersecurity breaches and online interference with our governments, it might be comforting to know that the ‘S’ stands for ‘Secure’ and provides an encryption by default model for websites.
“Does HTTPS really make you safer,” he asks. “On face value, yes, it does – it’s another level of protection. It makes it harder for anyone monitoring users to see what they’re reading or posting on the internet and it makes it harder for threat actors to change the website’s content. This means that users are less likely to click a malicious link or get tricked into downloading malware.”
“While they still may be able to see what website you are visiting, the content exchanged will be safe. In a world of fake news, it’s reassuring to know that the extra ‘S’ means that it is harder for anyone not associated with the organisation whose website you’re on to alter the information that you’re reading,” he explains.
But, in reaction to the increased use of HTTPS, cybercriminals and nation state actors are adapting their tactics, techniques and procedures. For example, scammers have been acquiring certificates to ensure their fraudulent websites (which imitate trusted sites, such as PayPal and Google) appear legitimate.
Businesses and governments alike are becoming more conscious of the need to react to the changing threat landscape, as malicious actors adapt and multiply. With a number of high-profile attacks over the last year, there has been a global discussion on encryption and its role in a free society.
This conversation has tied into new data protection regulations, (such as GDPR and PoPI), that present organisations with the chance to increase their security efforts and build a culture that upholds the need to protect customer data.
Van Staden says by embracing best practices – such as the shift to HTTPS – they can look to ensure that the intellectual properties of individuals are protected in a hyper-connected world.
“What does it all mean at the end of the day? Upon reviewing popular websites, many login pages already use HTTPS, but the homepages of those same websites are still using HTTP. This includes bank, eCommerce and travel companies. It is clear that webmasters, as well as business owners still have work to do,” he says.
Even basic websites, such as those owned by schools and small charities will need to start migrating over to HTTPS, which requires significant investment. For starters, there is a cost associated with moving to HTTPS – it’s not a lot, but if budgets are tight, this is something that will need to be considered.
Secondly, it does take some knowledge of website building to be able to make this shift – skills that smaller organisations are less likely to have easy access to. Fortunately, easily accessible educational resources exist, that can support these businesses.
This trend isn’t something that will go away overnight. Eventually, Google’s browser feature will red flag all HTTP pages as “Not Secure” while reducing the security indicators on HTTPS websites, due to the extra level of encryption deployed. This means that the anomaly of a HTTP page will be very apparent to end users, marking a significant shift in user behaviour and preference to the perceived safer HTTPS.
“However, nothing that is connected to the web can ever be totally safe from threat actors as they constantly look for new ways to get in. Avoid blindly trusting the extra “S”, implement effective security practices and remain vigilant with data that shared,” he concludes.