As of 2017, encryption is a baseline security requirement for all websites. Google, Apple, Microsoft and Mozilla’s browsers have nudged, and will now insist, on secure connections. Here’s how they’re moving the marketplace—and what to do for your organization.
From nudging to insisting on secure websites
In January 2017, Google Chrome began to display “Not Secure” next to URLs for websites that collected credit card information and passwords but were not using encryption. In October 2017, Chrome will display “Not Secure” for any form input that’s not using encryption—even a search box.
Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode.
Next steps toward more connection security, Chromium Blog
Apple has required the use of secure connections for iOS apps since January 2017. Although Safari lags behind Chrome in warning of non-secure websites per se, it has extensive tools to determine whether they are secure, fraudulent, or are using expired or untrusted encryption. https://support.apple.com/guide/safari/avoid-fraud-by-using-encrypted-websites-sfri40697
Mozilla, too, now warns of non-secure websites since January 2017.
To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure.
- Communicating the Dangers of Non-Secure HTTP, Mozilla Security Blog
The trend is clear: HTTPS encryption is a baseline requirement for all websites, not just those handling sensitive data.
So what is HTTPS?
HTTPS is a protocol that uses the standard web communication protocol, HTTP, with an embedded, encrypted channel—Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). It both authenticates a website, and encrypts all the communication back and forth, to protect against tampering, forging, or eavesdropping. The process of authentication and encryption uses digital certificates, issued by a trusted Certificate Authority, or CA.
Who are the certificate authorities?
There are a broad number of certificate authorities. You are likely already familiar with some of them—VeriSign (purchased by Symantec), Network Solutions, GoDaddy, GeoTrust, and DigiCert are amongst the most well known CAs. Launched in April 2016, the nonprofit organization Let’s Encrypt is a free, automated, and open CA, created by the non-profit Internet Security Research Group.
Notably, not all certificate authorities are the same. Mozilla, Apple, and Google have all, in turn, distrusted CAs for poor security practices and for issuing substandard certificates.
Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
What is a digital certificate?
A digital certificate is an electronic document that is used to prove the ownership of a public key. The key contains information about the owner and the issuer—the CA. If the key is valid, it can be used for secure, encrypted communication. There are various types of digital certificates.
Domain-validated certificates (DV)
Domain-validated certificates are easy to obtain, quick to setup, and, thanks to Let’s Encrypt, can be free. DV certificates can often be acquired through an automated process at one’s server. However, the sole criterion for issuing a DV certificate is proof of control over a domain. The CA doesn’t attempt to verify who the owner is. For this reason, while it offers a sufficient standard for data encryption, it provides a low level of owner authentication.
Organization-validated certificates (OV)
OV certificates require more validation than DV certificates—and thus, provide more trust. The issuing CA will verify the actual organization, and the organization’s name is listed on the certificate, too.
Oddly, it’s confusing at best to determine if a website is using an OV certificate on most web browsers. Typically, organizations that need a higher degree of authentication than what DV certificates offer use Extended Validation Certificates.
Extended-validation certificates (EV)
EV certificates are easy to identify: most browsers show a green color bar, with the name of the organization, directly in the address bar. This instant recognition is great for users—it’s immediate, visual, and clear. EV certificates require extra steps to validate the owner organization, such as the legal name, the operational and physical location, proof of domain name ownership, and confirmation of the identity and authority of individuals acting as the website owner as well as authorized officers.
EV certificates can be expensive—starting around $1,000/year, and going up, depending on various packages and levels of insurance purchased from the CA.
All websites—even uncomplicated marketing and communication websites—should use HTTPS encryption. In the next few years, browsers will increasingly penalize un-encrypted sites with warnings and messages to users; it’s also the right thing to do for customers who may be in public spaces, like cafes or places with open WIFI connections. The cost for a DV certificate is or is nearly free, as well—thanks, Let’s Encrypt!
E-commerce websites and sites that handle sensitive data should use EV certificates. Although the additional cost can vary, they run around $1,000 a year minimum (ExpeditedSSL offers one for $1,020 a year), and about $1,000 a year for server add-ons to support them.