HTTPS

As of today, the 24th of July, if your webpage is not using HTTPS Google Chrome will mark your website as ‘Not Secure’. Think about that for a moment. The first time a potential customer visits your website and right at the top of the browser they are met with a message that says your site is not secure.

 Why are Google doing this? The reason is to try and make it the norm that the traffic between your website and the user is encrypted. This helps maintain the integrity of the data that is displayed to your potential customers.

 If you’re website is not forcing users to HTTPS connections, then you are not alone. There are plenty of popular websites that still don’t do this, take a look at the most popular websites that do not force users to use HTTPS in the UK - https://whynohttps.com/country/gb

But just because some of these big names aren’t doing it, that doesn’t mean you shouldn’t.

Just because your website isn’t hosting any sensitive information or asking for people to enter a password or credit card details, you will still want to make sure that the content that you created is the content that the end user actually sees. If your website is only using HTTP, then it is possible for an attacker to alter the content and images that are displayed, it is possible for a third party to inject some code to the website prior to it being loaded in the users browser. Sometimes it’s not even the bad guys doing it. There have been examples in the past of internet service providers doing exactly this. Back in 2014 Comcast were injecting code that delivered adverts to people using their Wi-Fi hotspots. (https://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/).

Even if your website redirects to an HTTPS page when sensitive information is required from the user, this still isn’t enough. An attacker can easily change the link on the HTTP page to redirect wherever they want.

Since 2016 Certificate Authority Let’s Encrypt has been offering free certificates to allow websites to use HTTPS. There is no cost to help secure the traffic between your website and its users.

Just because a website is using HTTPS doesn’t mean that it is legitimate, a hacker may well use a HTTPS certificate on a phishing website to make it look more believable, but that is no reason not to make sure that your website is also using HTTPS. All websites should be using HTTPS to help protect users, not only this but Google also downrank non HTTPS websites in their search results. So if you want to help secure users and get better SEO, then make sure all of your web content is served over HTTPS.

For more advice on https, contact [email protected]

Gerry Grant, Chief Ethical Hacker


Written on 24 July 2018

Back to Main Blog