Speaking at the USENIX Enigma cybersecurity conference in Oakland, California yesterday, #Google’s product manager for Chrome security made it clear that the company will begin increasing pressure on websites that have not followed an industry-wide push for secure connections. The latest Chrome release will visibly brand sites as “non-secure” in the URL window if they have not converted to the more-protected “#HTTPS” protocol.
“Moving the Web to HTTPS is important,” said Google’s Emily Schechter at the gathering of security professionals in downtown Oakland. HTTPS or Hypertext Transfer Protocol Secure is an encryption format designed to keep credit card and password information protected when entered onto a website. Sensitive information transmitted on sites with only HTTP can be more vulnerable to theft or unwanted monitoring.
Sites with only HTTP will be noted by Google as “not secure.” The current icon (a small letter "i") when clicked in the Chrome browser reveals a drop box with the words, “Your connection to this site is not secure.”
Barely half of top sites are compliant
Schechter also revealed yesterday that the top 100 most popular websites have made progress over the past year in migrating to HTTPS, but the number is still barely half. According to Schechter, 54 of the top 100 sites now support the safer protocol (vs. only 39 one year ago).
Google publishes a “Transparency Report” which lists the major sites that have converted and those who have not. Surprisingly, two of the company websites listed as still using less secure HTTP are CNN and #eBay, an e-commerce powerhouse with over $22 billion in quarterly gross merchandise volume and 167 million active buyers. Both CNN and eBay are noted as “not secure” when accessed in the Chrome browser.
In response to an inquiry, a spokesman for eBay did not address the Google report or the Chrome browser directly, but indicated that the company protects all pages that involve “sensitive information” with authentication and authorization controls. “All critical flows that involve sensitive data are delivered over SSL (https),” said Ryan Moore, eBay’s senior manager of Global Corporate Affairs and Communications. SSL (Secure Sockets Layer) is standard security technology that encrypts links sent between and browser and web server.
Conversion has been difficult
A number of companies have struggled to convert to HTTPS, a point that Google’s Schechter acknowledged in her Enigma presentation yesterday. Reasons for this can be the loss of ad revenue and, for small businesses, the cost to obtain a certificate.
Posts on the Internet by a number of users who converted to HTTPS have cited a reduction in revenue from AdSense, Google’s program for serving embedded web advertisements. Google’s own documentation warns that ads served on HTTPS-compliant pages could earn less revenue, although the reason for this isn’t clear.
Obtaining a certificate has become easier and less costly thanks to a free certification project called Let’s Encrypt that has been underwritten by a number of tech firms including Google, Cisco, and Akamai. Let’s Encrypt operates as a certificate authority whose purpose is to confirm that the servers running HTTPS sites are real. “The migration no longer has to cost you a lot of money,” said Google’s Schechter.
In 2014, Google published a blog post which indicated that they would begin using HTTPS as a “lightweight” ranking signal, which could impact search results. They also reserved the right to strengthen the signal, which could impact visibility on the Web for non-compliant sites.
The push for a more secure Web has been a challenge from the first day that data flowed across networks. Based on the comments from one of their key security executives in Oakland yesterday, Google is about to turn up the heat even more.