<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Googles Quest to Shame You into Being More Secure

Topics: SSL, Web Security, Google, HTTPS

Posted: 12 October 2016

Google_Security_HTTPS.jpgIt is the stuff of legend that at the advent of the internet, there were no IT security advocates present to argue the case against a future such as ours and the character S was deemed an unnecessary inclusion to protocols such as HTTP (Hyper Text Transfer Protocol).

Thankfully, today it's relatively unusual to find a reputable website transmitting secure information, such as payment details, without encryption. HTTP over SSL (Secure Socket Layer) has been a major success and is widely used as it is transparent to the user, arguably the holy grail of any security solution. Yet this has come

with an observable trade off, it’s presence, or lack of it, is completely ignored. Users more often than not will proceed regardless of a warning.

Google have taken notice too and with a sense of self-declared stewardship for the internet, they have decided to place their cross-hairs on HTTP. As of January 2017, release 56 of Chrome will start to write the words “Not Secure” next to website addresses which are using HTTP and transmitting secure information.

This sounds sensible and actually not too important for those who do not transfer such information. However, reading further into Google’s Security blog reveals that this is just phase one of a two-step plan. Subsequent to release 56, Google aims to present the words “Not Secure” on any website using HTTP, even those not transmitting sensitive information.

Essentially any organisations website, will be declared unsafe to their viewership until they buy a certificate and use a secure channel. Some may see this as bully-ish, after all what right does Google have to declare websites unsafe unless they actually are? And in any case what’s wrong with non-secure protocols when the information being transmitted is benign?

It's easy to become offended but such arguments forget that SSL certificates have other purposes outside of encryption, for example integrity checking. The assurance that the site sent to our browser is indeed the correct version.

The internet has changed so has the way we interact and rely on the information it delivers to us. Just days before writing this article, automatic trading machines in Asia began rapidly selling currency after it thought they had noticed a high degree of financial negativity on news outlet websites. This is actually behaviour by design, yet highly dangerous if it's incorrect.

Imagine if we could intercept and change website content on reputable sites, for example the BBC news, so they contained false stories? It would in theory be possible to affect economic forces in a way which favour the interceptor. The integrity checking nature of SSL certificates can be used to combat this.

Google’s effort to improve the security of the internet is a positive step. With HTTP in it's cross-hairs and imminent retirement guaranteed, we can all look forward to at least some of the inherited issues of an insecure internet becoming ever so slightly more secure. Well done Google.

Ransomware Survival Guide Whitepaper

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts