In case you weren’t aware (it’s difficult to have missed this one) Chrome version 68 was released earlier this week. It brought with it a significant change to the way HTTP sites are displayed in the browser address bar. You’re probably used to seeing the little green “Secure” icon right? Well any sites not running HTTPS will now be marked as “Not Secure”. The reaction to this hasn’t been all positive though…

Why the change?

Research has shown that positive visual indicators (such as the green secure icon and padlock) and more importantly – the lack of positive indicators – are ineffective. People just aren’t great at making sure a site is secure before submitting sensitive details. People don’t tend to notice when something isn’t there unless they are really expecting it. This opens your average non-technical user up to phishing attacks and the risk of sending sensitive information to sites over an insecure transport.

I know to look for the secure icon. I’ve seen adverts on TV telling me to do so…

Great! I’m glad to hear it. Unfortunately though, such adverts have brought with them their own set of challenges. People are being inadvertently conditioned by these adverts to look for the green icon and think it means everything is ok. That if you see the icon the site is trustworthy and safe to use. In reality all the “Secure” icon means, is that your connection is encrypted and that you are talking to the site you entered into the address bar. It has no bearing whatsoever on the trustworthiness of the site.

Phishing sites have been abusing people’s misunderstanding of the secure wording by utilising HTTPS themselves. When someone see’s a green secure logo it tends to bring more credibility to the phishing site and tricks people into believing their credentials can be safely entered. Go and ask a few non-technical people around you to explain what the green padlock/secure icon means. I bet at least some of the answers you get back are along the lines of “it means it is safe to use”.

Don’t just take my word for it though. Do you remember that Barclays advert with the toy robot promoting digital safety? It included the following line…

Right, before you pay, look for a padlock and always check the seller’s genuine. You don’t want to get scammed by a fake site …

Hmmm… not the best wording right. Turns out the Advertising Standards Authority also thought this was misleading and Barclays got a telling off! HTTPS is also not an indication of the backend security of a site. A site may well be using HTTPS, but if they store your username and password in cleartext how “secure” are they really?

This brings us back to Google’s push to mark sites as “Not Secure”. It aims to provide a negative visual indicator to users to make it clearer when a site isn’t secure (because there is no encryption between the browser and server) rather than just telling them when it is “secure”. Long term, it is likely that browsers will deprecate the secure indication all together – i.e. HTTPS will be the norm, and you will only be alerted when connecting to non HTTPS sites. Hopefully this change will help users be more vigilant when browsing to sites that don’t use HTTPS. They no longer have to keep an eye out for an absence of something (the green secure logo), it will be made much more obvious. It also has the added benefit of making sites stop and think about implementing HTTPS. Why would you want your site flagged as “Not Secure” after all?

The InfoSec community response

On the whole most InfoSec professionals are “pro” this approach from what I’ve seen. There are however still people who aren’t too happy with it. The most common themes I see amongst those who are against the changes are:

  • I only run a static site – it has no need for HTTPS
  • Google is being bully/trying to kill HTTP/pushing their agenda on people
  • The InfoSec community is being a bully/there are other more important issues

Let’s have a bit of a look at each of these in turn.

My site doesn’t need HTTPS

Ok, your site is just a static blog page. You have no login pages. You have no forms. No sensitive information ever needs to cross the Internet. So why would you need HTTPS? From my perspective there is one simple answer – to protect your site visitors.

By running over HTTP only, you leave your end users susceptible to Man in The Middle (MiTM) attacks in places such as coffee shops, airports and shopping centres. Believe me – there is a lot of nasty stuff you can do with a MiTM and I’d suggest watching this video – Here’s Why Your Static Website Needs HTTPS to understand it a bit better. When you implement HTTPS with HSTS on your site (see my previous blog article for some info on this here) it helps protect your end users in these places if they choose to browse your site.

Now granted, unless every site on the Internet is running HTTPS and HSTS the problem doesn’t fully go away, but I don’t see this as an excuse not to implement HTTPS on your site. Particularly when certificates can now be acquired for free through organisations like Let’s Encrypt.

Some people seem take the approach of saying “Well, it’s not my responsibility to protect visitors to my site. They should take their own precautions”. While this is partially true – users have to be responsible for being careful – I fundamentally disagree with this. If you can protect your visitors I think you should. What if car manufacturers in the past had taken the same approach? “We aren’t going to bother installing seatbelts or airbags I’m afraid. It’s the driver’s responsibility not to crash”? See where I’m coming from?

Google is being a bully

Another one that weirdly keeps cropping up. The general theme is that Google are abusing their dominance in the market to push their own agenda and for the sake of net neutrality, we shouldn’t allow this. Or that they are trying to kill HTTP. A bunch of people just really seem to have it in for Google!

Don’t get me wrong – they are far from perfect and this sort of thing is a real risk. In this instance though, I don’t think it is really the case. Chrome is not the only browser that will be implementing this approach – they are just the first to do it (I believe). Numerous other government organisations and security professionals across the world are also calling for HTTPS everywhere. This isn’t just something Google is pushing because they feel like it.

When all is said and done, Chrome is Google’s product. They have the right to change how it looks and behaves as they see fit, and you have the right as a consumer to choose a different browser if you don’t like what they are doing. No one is forcing you to use Chrome. There is no denying though that the changes are likely to end up persuading companies into implementing HTTPS. Is this bullying? I don’t really think so. At the end of the day, Chrome is only reporting the facts – your connection to the site in question is not secure as there is no encryption. They aren’t killing off HTTP. Nor are they blocking sites that don’t use HTTPS. They are just giving end users more obvious indicators which can help them to decide how they interact with the site.

The InfoSec community is being a bully

Bullying may be a strong term – but I can kind of see where people are coming from more with this one. I see it most days on Twitter at the moment – people tweeting companies and other individuals demanding they implement HTTPS.

I think there has been a kind of “mob mentality” going on that has come about as a result of high-profile individuals such as Troy Hunt and Scott Helme really pushing for HTTPS. Don’t get me wrong, I think the work that they have been doing is fantastic and is pushing the Internet to where it needs to go. This is not a criticism of their work by any means. But I see lots of people jumping on board the HTTPS train and demanding every site must go and implement it in a series of (sometimes quite angry) tweets. Often one of the aforementioned gentlemen is copied in on the tweet. Could some people just be doing it because they want to feel part of something and get noticed? Possibly. I myself have been guilty of this.

There are also sites that now name and shame top sites where HTTP is used by default. Again, one high-profile site created by Troy and Scott is Why No HTTPS?.

How do I feel about all this? Mixed to be honest. Personally I’d like to see all sites using HTTPS with HSTS and if naming and shaming persuades the company to do this, then perhaps this is a good thing? There are some sites that absolutely should be using secure only already (banks, shops – those kind of sites) and for those they probably need a good kick up the arse. But I don’t know – the naming and shaming approach has a faint whiff of “bullying” about it. It’s a bit of a fine line.

If a site chooses not to use HTTPS (at least where no sensitive info) that is their prerogative. Do I think they should be using HTTPS – absolutely yes. As mentioned several times I think all sites should. However I’m not sure we should bombard people and force them to implement it. What if we took this concept into a real-world scenario. I’m a big fan of password managers, but if I started following people round the streets with a bunch of others shouting “WHY AREN’T YOU USING A PASSWORD MANAGER. YOU’RE INSECURE. WHEN ARE YOU GOING TO START USING ONE” it would probably not go down to well.

Summary

I hope the recent browser changes persuade people/companies to adopt HTTPS where they aren’t already. I still think it should be used everywhere. However, don’t forget – HTTPS alone isn’t the be-all and end-all. Sites should also be implementing HSTS to actually protect their end users against the MiTM attacks often referenced.

In summary:

  • If you’re not using HTTPS on your site please consider implementing it along with HSTS – it helps protect your visitors
  • If you are adamant you don’t want to use HTTPS then fine – just be aware you’re not providing your visitors extra protection and the recent changes could deter visitors from using your site Google is not trying to take over the world and destroy the Internet. They aren’t the only browser who will be implementing this change!
  • If you’re on Twitter – maybe calm down a bit if you’re one of the angry tweeters 😉 Questions? Comments? Or just want to shout at me about how you disagree with me? Follow me on Twitter @mike_sec_eng or get in touch by one of the other provided means!