We're now well into 2018 and it's clear that this will be a big year for web security. For years the industry has been pushing for the ubiquitous use of encryption for websites (i.e. that all important s in https://). But we think that this is the year that will see the largest changes for websites that don't use this technology. We'll cover what this encryption actually is and is not, why these changes are happening, and what you should know about the future changes coming up this year.
The web as a whole has been moving toward encrypted browsing for a while. First, browsers started highlighting encrypted sites with a green security symbol in the address bar so highlight them favorably to internet users. Next, search engines started ranking sites higher that used encryption, giving a them a modest advantage. Now, this year in July we're going to see Google go a step further and mark all non-encrypted sites as insecure in Google Chrome. This will drastically reduce the number of users visiting these un-encrypted websites and will most likely almost completely cut-off any potential user engagement.
So why this big push? Why now? Before we get there though, let's briefly discuss what exactly we're talking about. When we talk about encryption in this manner we're really talking about TLS (and, sometimes, it's now ancient predecessor SSL). TLS is a technology that provides two main benefits:
First, verification, when you type a url into the address bar (e.g. mybank.com), your browser takes you to that website. How do you know that it's really the website that you meant to go to, though? Without TLS, there really isn't a good way for the average user to know if they are really at mybank.com. However, one of the things that TLS does is very cleverly verifies that the server you are talking to is the one that you intended to reach. Basically, your browser (e.g. Chrome, Safari, etc.) has a list of trusted Certificate Authorities. Any site using TLS must register with one of these authorities and provide some basic information. Through a method called Public Key Cryptography, which we won't dive into here, your browser can securely determine whether this is the server that registered with the authority.
Secondly, TLS encrypts all of your data that is being transferred back and forth to the website. This means that all of the servers (and governments) between you and the website can't read any of the data being sent back and forth.
OK, so now we can talk about why there is a big push for everyone to use this and why it's coming now.
Security and Privacy are really consumer protections. There are several organizations that are working very hard to make the internet a safer place for everybody. In 2016 the price of registering a website at one of the trusted Certificate Authorities has been reduced all the way down to $0 thanks to Let's Encrypt and their sponsors. So it's natural that after two years the industry is now pushing for everybody to get onboard since there is no longer a cost hurdle.
Even five years ago, using encryption for websites made them measurably slower. No one wants to wait longer for a page to load and no one wants to pay for more servers to handle the additional work required. This meant that encryption was only used when absolutely necessary. However, that has started to change. As servers have become faster and more efficient it no longer costs as much to use encryption all of the time. Probably the single biggest change in this area came in 2016 with the release of HTTP2, though. This is a newer and faster version of the underlying technology that powers the web. Technically this new version can be used without encryption but all of the major organizations have decided to only implement it if encryption is also used. So, while it used to be slower to use encryption now it can actually be faster.
Lastly, politics has come into play. With several countries around the world trying to censor the internet as well as governments trying to gather as much information as possible from the internet, there are now more reasons than ever to encrypt as much data as possible.
So, is TLS a magic bullet. Once it is used everywhere will the days of security breaches and privacy concerns be over. Unfortunately, not. This is only the first step. TLS doesn't have any impact on what a website does with your data once they get it, it only makes sure that it makes it to them securely. They could do any number of things with it after that, either intentionally or unintentionally. It is a big step in the right direction, though. Once it is used exclusively we can move onto solving other security and policy concerns.
If you aren't using TLS on your site then you're already putting your users at a higher risk, ranking lower on search engines and probably losing visitors due to slower page load times. After Google releases their update to Chrome in July, these negative impacts will be much larger as many users will see an insecure site warning when using your website. Don't let this happen to you Contact Us to start using TLS today.