It is almost two years since Google announced plans to mark HTTP login pages as 'not secure' in version 56 of the Chrome browser.
In February of this year, Chrome Security product manager Emily Schechter said in a blog post that it had “helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as not secure” and beginning with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.”
This week marks the launch of version 68 and to further emphasize the importance of having an SSL certificate on your website, two noted security researchers worked together to create a service which trawls the internet finding which websites are not 'secured' and highlighting them in a new website.
Troy Hunt, who in the past has written extensively about SSL and HTTPS, and Scott Helme, who participated in an Infosecurity webinar in March on 'Why Many Websites are still Insecure (and How to Fix Them)', collaborated on the initiative. In the past, Helme has crawled the Alexa Top Million websites and published six-monthly reports on his findings according to Hunt, who noted that over 38% of the world's largest sites were redirecting insecure requests to the secure scheme.
Hunt said: “We went back and forth on this and in the end we decided the most useful thing to do was to re-scan every site in this report from my end and if I see it redirecting to HTTPS, drop it from the list. Problem solved, right? No, things just got weirder.
“I took the top 100 sites for each country I'd identified and re-scanned them all from my end. In total, this meant 12,363 separate domains and only 56 of them redirected to HTTPS.”
This led to the launch of Why No HTTPS? this week, which Hunt and Helme have created to feature the “world’s most popular websites loaded insecurely” and country-by-country localized reports.
Speaking to Infosecurity, Hunt and Helme said that the initiative was about helping companies understand why their websites need to have HTTPS, but also about the dangers of unencrypted traffic too.
Helme explained that any traffic sent over HTTP could be used against the user. “The page itself might be a static news website, but an attacker can still inject hostile content into the page during transit and attack the user.”
Hunt further said that “abuses of unencrypted traffic range from unwanted ads to cryptominers to keyloggers and then all the way through to malware and phishing attacks.”
So is the idea for Why No HTTPS? to help those websites who are not HTTPS compliant with this initiative? Hunt said: “I think this initiative will help shine the spotlight on companies not doing HTTPS correctly. I expect people will actively call attention to the likes of the Daily Mail in the UK or ESPN in the US and say ‘Hey, how about showing a bit more respect for our traffic when we visit’.”
“This is really indicative of the changing circumstances we find ourselves in where HTTPS is becoming the norm and HTTP is becoming the exception"
How much has this been influenced by Google’s actions with Chrome over the past couple of years? Helme said that this is part of a much longer term plan to change the browser user interface (UI), as HTTP will attract more and more warnings while HTTPS may soon start to see the green UI and positive indicators dialed back.
Helme added: “This is really indicative of the changing circumstances we find ourselves in where HTTPS is becoming the norm and HTTP is becoming the exception. The browser should only alert us when something unexpected happens and we’re moving to a place where HTTPS is the expectation and not the exception.”
A look over 'The World's Most Popular Websites Loaded Insecurely' shows a few well-known brands, including Baidu and the aforementioned Daily Mail. So did it surprise Hunt and Helme that there were so many websites just running HTTP? Helme said it was a “little surprising” as while great progress is being made on encrypting the web, looking at the numbers and big sites like these without encryption “shows we still have a long way to go.”
Hunt said he felt he should not have been surprised, “but it still struck me when I started seeing all those big brands appear missing this fundamental security control. I hope we look back at this list in the near future and see the global rank of sites not protecting traffic rapidly going up as more and more go secure.”
Having seen the work that these researchers have done over the years first hand, it is reassuring that two people with such a strong interest in securing the web have created this initiative. Along with efforts such as Lets Encrypt offering a way for websites to be secure more easily, it feels like this new website has come along at the right time.
At the time of writing, it is positive to see that a few websites have taken action in the first few hours of the initiative’s lifetime. Ensuring that the message resonates with the right people and that action is actually taken to make a secure web lays with the website owners though, who will be those ultimately responsible.