Upcoming Changes in Web Security Standards

Google Chrome will soon be displaying а “Not secure” message for websites with HTTP login forms.

Background

Do you know what an encrypted connection is used for? And do you know that when you are shopping online or just surfing the web, someone might monitor or even modify the whole data exchanged between your browser and the server? Malicious persons do such things to obtain personal data and commit fraud.

How to stay safe?

Your browser uses HTTP (Hypertext Transfer Protocol) in order to communicate with the web server. Data transmitted during the communication is unprotected and can be intercepted (“tapped”) or modified. There are applications called “sniffers” that enable intercepting data from insecure connections as this most often happens to usernames, passwords or credit card details, bank accounts, personal data, etc.

However, HTTPS was created in 1994. This is a protocol consisting of secure communication over Hypertext Transfer Protocol (HTTP) within an encrypted connection. It ensures protection of the privacy and integrity of the exchanged data. Nowadays this protocol is obligatory for each computer network communication that contains personal data.

What’s new and how to protect your data?

A majority of the internet users are not familiar with the terms “protocol”, “encrypted connection”, etc., so they can hardly ever understand whether their data is secured. For that reason the makers of the most widely used browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, Safari, Opera, etc. aim to make those terms more comprehensible and easy to access. The websites using HTTPS encrypted connection and having an SSL certificate installed usually have a green lock in the browser address bar. This means that the website is secure and the connection is encrypted. If the website uses HTTP, the green lock will not be displayed and when you point or click the icon in front of the URL (i) you will see the “Connection is not secured” notification.

As of January 2017, Google Chrome will notify you more noticeably whether the connection is encrypted.

blog-image-1

(source: https://security.googleblog.com)

The purpose of this is to warn users when they visit websites with HTTP connection and decrease the possibility of visiting a fishing website, where they could get infected with malware or get their personal data stolen.

Which websites will display a warning message?

For the time being this is valid only for websites that require Log-In or payment details. Nowadays a vast number of websites enable user access and / or administering part of the website content which is possible after entering a username and password. All online stores will be affected by this change.

Which websites will still not display a warning message?

If your website does not require a log-in and users do not need to enter personal data, a warning message will not be displayed for the time being. The same goes for websites that have a log-in form, but it is hidden, so that it is not indexed by search engines.

The latest information released says that at a later stage web browsers will start displaying such message for all websites that use HTTP protocol no matter if they use login forms.

It is still not officially confirmed, but there is a high probability for the “Not secure” message to be colored in red and preceded by a red triangle!

Eventual treatment of all HTTP pages in Chrome

(source: https://security.googleblog.com)

Such messages are intended to warn users that visiting a certain website may lead to compromising personal data. It will also mean that a website owner shall migrate from HTTP to HTTPS so that users do not start avoiding the website.

Google Chrome will be the first browser that will display the warnings in a more noticeable way. Other browsers will also start working in this direction as the main goal is to use the HTTP protocol less often and to transfer the entire bandwidth to HTTPS.

What do you need to do in order to migrate to HTTPS?

1. Issuing and Installing an SSL Certificate

In order for your website to load through HTTPS you need to install an SSL certificate on your server or hosting account. Standard SSL certificates may vary depending on their issuers and the level of trustworthiness. For websites having certificates that validate the website organization and the ones with extended validation, browsers show that the connection is encrypted and the certificates have been especially issued to a certain organization. The green lock appears when there is an SSL with extended validation and this always gives visitors increased confidence in the site’s security.

2. Setting up Your Website

After you install an SSL certificate on your hosting account or server, you need to configure your website so that it always loads from HTTPS and all external page links also point to HTTPS. This way the website visitors will not be “warned” that the website is insecure and will keep trusting it.

We highly recommend that all website administrators do not wait until the last possible moment, but hurry up and check the percentage of users accessing the website from Google Chrome and quickly migrate to HTTPS. Thus their website will be better protected and users will stay calm and confident that their personal data will not be used illegitimately.
Svetoslav Iliev
Svetoslav Iliev
Svetoslav is vital part of our SuperTeam. His SuperPowers are multitasking and the skill to put all projects in order. He always knows which is the right approach to implement improvements and how to make our clients happy.
0 0 votes
.
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments