Explaining the Small, Yet Significant, Change from “HTTP” to “HTTPS”

Featured article by Dean Coclin,Vice President, Business Development, at Symantec

If anyone has doubts about just how important it is for customers to feel safe and secure while visiting a company’s web site, the numbers from Black Friday and Cyber Monday should convince them otherwise. More than ever, people are shopping, doing their banking, making travel arrangements, and conducting virtually all other personal business online. Unfortunately, that makes them attractive targets to cyber criminals. That’s why the Certificate Authority Security Council (CASC) is leading the effort to help organizations make it clear to their customers that the personal information they entrust in you won’t fall into the wrong hands.

The CASC is an advocacy group committed to the advancement of web security, which has never been more important, or difficult, for businesses and other organizations to manage. Consider how many millions of consumers visited e-commerce sites on just one day.

U.S. consumers spent a record $3.3 billion online on Black Friday this year, according to Adobe Systems Inc. Spending via mobile devices on Friday increased 33 percent to an all-time high of $1.2 billion. (Source: Bloomberg)

Consumers are so busy and focused on several tasks at once – and that leaves them susceptible to common cyber attacks like being lured to fake web sites. These sites may look legitimate, but they’re quietly stealing information, such as credit card numbers and social security numbers.

If your customers fall victim to this type of scam, they will blame you. They entered your URL into their Web browsers, and expect you to guide them safely to your site.

Fortunately, the security industry, developers of the major Web browsers and Certificate Authorities (CAs) are working together to prevent consumers from becoming victims.

Add an “S” to “HTTP”

Soon, you won’t be able to reach many popular websites without adding an “s” at the end of “http” in the address bar. This assures visitors using any web browser that a page leverages the security protocol known as Transport Layer Security (TLS) – formerly Secure Sockets Layer (SSL) – cryptographic protocols that provide communications security over a computer network. Put simply, it shows that encryption is in place between the server and the user’s browser.

The SSL protocol is stronger now than ever because of the research and improvements made by member organizations of the Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security. HTTPS is an example of the CASC’s on-going efforts to earn the trust of customers and all users and improve internet security.

Website managers should be aware of how this will affect a customer’s online experience. This starts with displaying visual cues in their browser windows to alert users of non-https connections. For example, Google Chrome will highlight insecure pages with a red slash in the address bar. It will also warn users if an insecure page asks for a password or credit card by showing the words “Not Secure”. Firefox plans a similar warning for sites requesting passwords. In the future, both will transition from an information warning to a red triangle which is more noticeable.

Several major browsers are also changing their security indicators―the colors and symbols used in the address bar to indicate to visitors how safe a site is―to make it clear when an SSL/TLS-secured web page includes unsecured content that is vulnerable to man-in-the-middle tampering. In other words, this will make it clearer when a site fails to achieve always-on encryption and the danger this poses.

Other measures include replacing the long-time standard http with http2, which is much faster and enables a more enjoyable, efficient and secure user experience. Chrome, Firefox, Internet Explorer, Safari and Opera will soon only support http2 over https. That means as websites migrate to the speedier http2, they must use SSL/TLS.

Also, website managers who try to collect referrer data from other sites will require the use of https. Without https, the destination sites won’t know who is coming to their site.

Google is also incorporating these stricter standards into its popular Gmail client. Users will see an open lock icon that indicates an insecure connection is used by depicting an open lock in the Gmail user interface. Email servers that use certificates to encrypt mail server to mail server data don’t show an open lock and detail the type of encryption used.

Many sites have already made the transition to https, including Google’s BlogSpot and Analytics, Reddit, Flickr, Wikimedia, WordPress, Bitly and Shopify. The U.S. Government requires all sites under the .gov domain must be https by the end of this.

A key component of the HTTPS launch campaign is a series of CASC-led educational and advocacy efforts related to best practices in SSL deployment with a focus on the importance of online certificate status checking and revocation. These programs will help business owners, web server administrators, web browser developers and even consumers join the international effort to protect all online interactions.