It is the stuff of legend that at the advent of the internet, there were no IT security advocates present to argue the case against a future such as ours and the character S was deemed an unnecessary inclusion to protocols such as HTTP (Hyper Text Transfer Protocol).
Thankfully, today it's relatively unusual to find a reputable website transmitting secure information, such as payment details, without encryption. HTTP over SSL (Secure Socket Layer) has been a major success and is widely used as it is transparent to the user, arguably the holy grail of any security solution. Yet this has come
with an observable trade off, it’s presence, or lack of it, is completely ignored. Users more often than not will proceed regardless of a warning.
Google have taken notice too and with a sense of self-declared stewardship for the internet, they have decided to place their cross-hairs on HTTP. As of January 2017, release 56 of Chrome will start to write the words “Not Secure” next to website addresses which are using HTTP and transmitting secure information.
This sounds sensible and actually not too important for those who do not transfer such information. However, reading further into Google’s Security blog reveals that this is just phase one of a two-step plan. Subsequent to release 56, Google aims to present the words “Not Secure” on any website using HTTP, even those not transmitting sensitive information.
Essentially any organisations website, will be declared unsafe to their viewership until they buy a certificate and use a secure channel. Some may see this as bully-ish, after all what right does Google have to declare websites unsafe unless they actually are? And in any case what’s wrong with non-secure protocols when the information being transmitted is benign?
It's easy to become offended but such arguments forget that SSL certificates have other purposes outside of encryption, for example integrity checking. The assurance that the site sent to our browser is indeed the correct version.
The internet has changed so has the way we interact and rely on the information it delivers to us. Just days before writing this article, automatic trading machines in Asia began rapidly selling currency after it thought they had noticed a high degree of financial negativity on news outlet websites. This is actually behaviour by design, yet highly dangerous if it's incorrect.
Imagine if we could intercept and change website content on reputable sites, for example the BBC news, so they contained false stories? It would in theory be possible to affect economic forces in a way which favour the interceptor. The integrity checking nature of SSL certificates can be used to combat this.
Google’s effort to improve the security of the internet is a positive step. With HTTP in it's cross-hairs and imminent retirement guaranteed, we can all look forward to at least some of the inherited issues of an insecure internet becoming ever so slightly more secure. Well done Google.
