THE NEW AGE OF SECURE BROWSING

(SSL/TLS)

Did you know that if your website’s URL does not start with “https”, which means that it does not use any encryption, your website has been ranked lower on Google’s search engines than it should be by Google’s ranking algorithms? Additionally, starting from July 2018, Google Chrome and other browsers will mark all websites as “Not secure” if they do not have secure encrypted connections configured.

The change shown above is part of long term plan “HTTPS everywhere”, that Google had deployed a few years ago to encourage site owners to improve their website’s security. You might have noticed that since 2017, when any input onto a HTTP site is made through Chrome; the address bar would instantly display the “Not secure” notification. This will eventually transition into including a red warning sign to help raise awareness to users that their communication with a site is vulnerable to attackers, allowing them to have true insight of the level of security on the web.

Google has decided to incorporate a gradual transition to this movement for two reasons. Firstly, to grant website owners sufficient time to correctly configure their sites to HTTPS, and secondly, ingeniously protecting the public image of the red warning sign so that it would truly be an indication that a website’s security should be questioned. Furthermore, according to statistics published by Chrome, the default use of HTTPS on the top 100 sites has grown from 37 in 2016, to 81 at the start of 2018.

WHY YOU NEED SECURE BROWSING

If you visit websites regularly or are part of an organization that owns a website, it is beneficial to understand what it means to browse the web securely. This is when a site is accessed by using the HTTP Secure (HTTPS) extension of the Hypertext Transfer Protocol (HTTP).

When a user is interacting with a website that only uses HTTP, all data that is sent back and forth between them is done so in plaintext. As a result, the need for an improvement of security during this process has led to the implementation of three main features of HTTPS:

• Firstly, all transmitted data is encrypted, this means that plaintext is encrypted into ciphertext, making it very difficult for attackers to decrypt the data.
• Secondly, authentication of the website that a user is communicating with is required, which is verified by providing certificates identifying the organization.
• Lastly, HTTPS provides a mechanism that detects tampering or corruption of data in transmission, which facilitates data integrity.

A very troublesome situation is that of using public networks, such as the Wi-Fi in a coffee shop. If a user is communicating with a website that does not enforce HTTPS, data can be gathered by attackers using packet sniffer tools, which attempt to intercept and gather packets on a network. This allows the attacker the ability to access sensitive information in plaintext, for instance; a user’s login information. Attackers could also modify the content in transmission which could potentially trick users into downloading malware. In extreme cases in situations where no sensitive information is being communicated, attackers can still gather information revealing behaviors and identities of users.

Websites should not only be secure to protect users, but also to improve brand reputation, allowing users to trust the websites that they are accessing. Google and other search engines have been giving websites that use HTTPS a ranking boost since 2014. Therefore, if an organization wants to improve their online presence while still using HTTP, then an easy option is to upgrade to the recommended HTTPS configuration.

HOW TO TELL IF A WEBSITE IS SECURE

To assure that browsing on a specific website is done securely, web browsers all display a green padlock by the URL with the text “Secure”, followed by the URL that starts with HTTPS, not HTTP. This means that they currently have a valid SSL/TLS certificate that is officially owned by the website and is configured correctly. Otherwise, a red warning sign would be displayed with the text “Not secure”, and a line through the https text, shown below.

More information can always be found about the SSL/TLS certificates in both cases by clicking on the Secure or Not secure text, such as who the certificate is issued to, whether it is expired, and even how many bits are used for encryption.

Users should always inspect the website URL to ensure it is not attempting to impersonate another website. These sites can configure SSL/TLS certificates, but in these cases the website itself is malicious while intending to appear safe. An example of this is a phishing site called “y0urcompany.com.”, which if it said “Secure” by the URL, should not be trusted. It is important to always look at the domain name and check for any misspellings.

HOW TO SETUP SECURE BROWSING ON YOUR DOMAINS

When migrating a website to HTTPS, many factors should be taken into consideration, therefore, the help of an expert should be available ensure an optimized configuration. The following steps are a brief description how to approach this migration.

1. Purchase an SSL/TLS certificate. Decide on which type you would require from a choice of single, multi-domain, or wildcard certificates. Starting with a single domain certificate, which is issued to one specific domain which is the cheapest option. Next is a multi-domain certificate, which can be used for many different domains, by adding alternative addresses which normally ranges from 5–10 domains, and this is around double the price of a single domain certificate. Finally, we have wildcard certificates, which secures one domain, and all its subdomains, which would be around double the price of multi-domain certificates. It’s recommended to purchase this through your hosting company as they often will help with installation of the certificate.
2. Configure 2048-bit keys for encryption on the certificates, as this is the recommended level of security to use. It is also advised to the best available cipher suites and disable/avoid outdated cipher suites as they often have vulnerabilities.
3. Set up redirects to force all current HTTP pages to redirect to the new HTTPS pages. This can be done by adding 301 redirects to the header of the webpage using canonical links, similar to “<link rel=”canonical” href=”https://…”/>”, or by adding code into the “.htaccess” file to force this redirect. Most web hosts aid in these configurations.
4. Update all internal links throughout the website to redirect to the HTTPS pages, which removes the need of each page to redirect to from HTTP. The best practice recommended by Google developers for internal links are to use protocol-relative links, which instead of stating what protocol to use, the link picks up the current configuration. For example, changing <a href=”http://example.com/”> to <a href=”//example.com/”>.
5. Update all external links in all possible instances. It is possible to use scripts such as Bram van Damme’s script to detect mixed content on websites.
6. Allow HTTPS sites to be crawled using the robots.txt file and avoid using the ‘noindex’ tag in the robots.txt file. This allows search engines to easily crawl your website to be indexed and ranked correctly.
7. Reindexing the website is a process that would happen over time, while all browsers have different methods of crawling the web. Google’s Search Console is a free tool that helps to check the status of indexing of a website, and assists optimizing visibility and presence of sites and pages.
8. Test the configuration of the website by using tools such as Qualys SSL Labs, which analyses a domain and suggests any recommendations and best practices. This tool also shows current vulnerabilities and gives the domain an overall score.

CONCLUSION

It is recommended to use HTTPS to protect transmitted information, gain fair ranking on search engines, and improve the website’s public view of legitimacy and safety by visibly seeing the URL labeled as “Secure” and a padlock, both in green.

The use of HTTPS on websites indicates that data in transmission is protected with encryption, tampering to this data would be detected, and the site address would be authorized. This allows users to clearly see how secure their communication with websites are. The use of HTTPS requires an SSL/TLS certificate to be configured to a URL, which can be purchased for a single domain, multiple domains, or for wildcard subdomains.

Google has been strongly advising website owners to migrate their sites to HTTPS over the past few years, and these secure sites have been given ranking boosts by search engines. All websites that are using HTTP will eventually have the label “Not secure” and a warning sign, both in red by their URLs, which is even more of a reason to migrate sites to HTTPS. They have provided documentation with best practices and migration instructions along with tools to help this process, readily available online.