Going HTTPS: How to Help Avoid Google's Unencrypted Website Warning

Chrome browser users will be warned of the cybersecurity risks of accessing non-HTTPS site. See how you can help avoid your site being labeled a danger.
Writer/Author/Publisher/Speaker, Garden Guides Press
February 20, 2017

In September 2016 Google announced its long-term plan to mark all HTTP sites as non-secure. Starting with the new Chrome 56, the browser warns visitor when sites aren't using HTTPS connections. Eventually, all sites accessed in Chrome that don't meet cybersecurity standards will be flagged with a red “danger" icon.

This move to warn online users when websites are unsecure—and credit card and password information could get into unwanted hands—comes at a time when cybersecurity is receiving much warranted attention. It's an issue being discussed across the country, including at cybersecurity gatherings like the RSA Conference 2017.

“The internet is still somewhat rooted in the Wild West," says Nick Greene of Nick Greene Digital Marketing & Design. “Some players are following the rules and being fair to all, while others are taking shortcuts at the expense of others. Google's new cybersecurity measure will help level the playing field by seeing that all business owners ensure their websites collect and pass data in a secure, encrypted manner."

The Push to Secure Data With HTTPS

The concept of securing data with HTTPS is nothing new, notes Gary S. Miliefsky, founder of SnoopWall Inc., a counter-intelligence technology company, and executive producer of Cyber Defense Magazine. 

“Since the early days of electronic commerce, the SSL protocol [Secure Sockets Layer] driving the HTTPS secure web browser experience has helped protect personally identifiable information [PII] from being stolen during online purchases," Miliefsky explains. "A lock on your web browser indicates that a site is using HTTPS and is more secure."

Business owners who have not implemented basic security measures such as SSL/TLS to protect sensitive webpages like login and checkout pages now need to make sure they implement this, because customers are going to take it seriously when their browsers show a red-for-danger icon.

—Atit Shah, head of security, WePay

This is the first time, though, that Google has penalized websites by warning visitors, adds Adam Levin, chairman and founder of cybersecurity solutions company CyberScout and author of Swiped.

“Google's push to combat unencrypted web traffic by identifying HTTP sites as unsecure is a Paul Revere moment for businesses that have e-commerce sites and conduct transactions online," says Levin. “As breaches have become the third certainty in life, the gateway point for major data breaches has often been unsecure websites. Google is not only giving the consumer the awareness to avoid risky behavior, they're also calling out certain companies as having poor security."

Cybersecurity Steps You Can Take for Your Business

If you wish to reach out to a broader customer base and build trust, you may want to take your security more seriously, believes Atit Shah, head of security for online payment platform WePay

“Business owners who have not implemented basic security measures such as SSL/TLS to protect sensitive webpages like login and checkout pages now need to make sure they implement this, because customers are going to take it seriously when their browsers show a red-for-danger icon."

Google is a leader when it comes to web security, so other browser vendors may follow in its footsteps, adds Matias Woloski, author of A Guide to Claims-Based Identity and Access Control and CTO and co-founder of Auth0, which provides authentication and authorization for developers.

“Given Chrome's [57] percent market share in the browser space, this latest change will put a lot of pressure on businesses [and] websites that have so far ignored web security best practices," says Woloski. “If they haven't already been working on this requirement, they will have to scramble to do so now."

Adhering to the requirements means configuring servers to use HTTPS, as well as acquiring the necessary TLS certificates and possibly updating custom applications.

“It's important to note that HTTPS does add operational complexity, and organizations will need to manage issues such as browser compatibility and certificate expiration," says Woloski. “Given this level of effort, we recommend moving to HTTPS for the entire website, not just sensitive pages. This will help future-proof businesses against upcoming browser warnings."

Instituting HTTPS and its encryption ability may not be the complete answer, believes Shah. “In the last few years, various attacks such as Heartbleed, BEAST and POODLE have targeted security vulnerabilities in SSL/TLS," Shah says, listing three infamous security bugs. "Therefore, online businesses should also make sure that SSL/TLS implementations are secure and that they've have implemented best practices, such as reliable Certificate Authority and secure cipher suites with perfect forward secrecy."

Promoting a Cybersecurity Culture

The bottom line is that cybersecurity will continue to be an issue, which means that business owners must adopt a culture of security and privacy. “This means encrypting data, investing in employee training on security and privacy protocols, securing all connected devices with the most sophisticated and up-to-date antivirus software, penetration testing and role-based data segmentation," says Levin.

One of the biggest sources of breaches come from employees who use their personal mobile devices at work and download unverified apps, access unsecure sites or use unsecure WiFi, notes Levin. 

"It only takes one employee clicking on the wrong link or entering sensitive information on a fake site to create a potential extinction level event for the business," says Levin. “A business must get everything right while a hacker need only find one tiny point of vulnerability open for a matter of seconds."

While the encryption alert isn't desirable, it need not be the “equivalent of a scarlet letter," says Levin. “Use this as a tool to step up your security game. Those who fail to properly design and test solutions could suffer reputational damage, but that pales in comparison to the reputational damage they will endure if your failure to take proper security precautions provides a conduit for hackers to compromise customer information."

Read more articles on cybersecurity.

Photo: iStock
Writer/Author/Publisher/Speaker, Garden Guides Press