HTTP VS. HTTPS: Google Chrome Updateblog Roman Piluta April 20, 2020
Google’s Chrome web browser is far and away the winner of the browser wars. While the Microsoft Internet Explorer (IE) browser once had a commanding lead, Chrome now sits unchallenged at the top. In fact, the newest Microsoft browser, Edge is based on Chromium. Other browsers like Firefox and Opera are still available, but Chrome is by far the most popular option on systems today. Fortunately for us, security has always been an over-riding principle within Chrome and one of its main tenants. With this security comes changes in the way we consume web content.
Historically, websites were created using hypertext transfer protocol (HTTP). This protocol was launched in the earliest days of the internet – the 1990’s – but things have changed since then. Today’s consumers are more security conscious and sadly, today’s criminals are more capable and with better tools and technology.
HTTP vs HTTPS
HTTP enables connections on demand and does not provide data encryption. Basically, this means that when you click a link, the web browser sends the request to a server. The server responds by opening the page. Based on your connection speed, the information will be provided to you almost instantly. This is all to the good, but a key point to realize is that the only thing HTTP cares about is sharing the information. How it gets from point A to point C is not as important. What this means is that it is at risk of being intercepted and potentially altered.
With more and more activities moving online, companies realized that they needed to ensure consumers’ personal information was secured and protected. Secure Socket Layer (SSL) certificates were designed as a means of ensuring confidentiality and integrity.
Without HTTPS any information sent online – things like your bank and credit card information, your personal details, your username/password and more – is sent in plaintext. This means that anyone with access to the link and connection has access to that information. SSL certificates, however, ensure that information sent is encrypted. The expectation is that over 90% of the world’s HTTP traffic would be secured over SSL/TLS by 2019, however, that has not yet come to pass.
By May 2019, 84.2% of page loads in Chrome were HTTPS pages. This is a significant improvement, but there is still work to be done. Companies that are on the fence about encryption and security need to understand that 85% of shoppers online avoid insecure websites. This is authenticated by the fact that 90.2% of the time spent browsing on Chrome is on HTTPS pages.
HTTPS can be considered as a new and improved version of HTTP. HTTP worried about the destination but didn’t consider the path. The SSL certificate ensured that the path also was accounted for and helps to ensure that data is moved safely and securely.
Google Chrome with its emphasis on security is taking this a step further. They are working to ensure that all users online have the safest possible experience. Many websites have a mixture of content available online. Basically this means that while some parts of a website are correctly configured and encrypted, they might link to other resources that load insecurely. These resources could include images, audio, and video and if any of these files are modified or tampered with, they could leave a user at risk.
Starting with Chrome 82, Google will start warning users if they are about to download dangerous mixed content. As the versions continue to change, this content could be actively blocked. Google’s goal is to ensure that all sites are fully migrated to HTTPS to ensure user protection and security.
With the changes coming, many sites are going to have to look closely at their design and configuration. While the links and information they might be offering are completely legitimate and useful, as versions change, they will become harder and harder to access. Sadly, many website owners and administrators have no concept of the idea of mixed content. Added to this, they are unaware of what the impact of this mixed content will be on their user base.
As Google continues to push sites towards HTTPS they will come down even harder on mixed-content sites. From a user perspective, this is a huge improvement. The onus will still be on the user to ensure that the site they are navigating to and providing their information on is legitimate. HTTPS does not remove this requirement as criminals are also able to use HTTPS sites. While it is not complete protection, the internet as a whole will become a much safer place.
For help ensuring your site and all of its content are secured contact us. At NIX we have a team of developers, designers and website administrators that know and understand what Google is looking for. We can work with you to ensure that you are providing your users with the information they need and want while staying in compliance with changing expectations. Let us help you protect your website and service your customers.