Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google Pushing for HTTPS

Google Pushing for HTTPS

This item in japanese

Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS. Geolocation over HTTP has been deprecated since version 50 of the browser and so has getUserMedia (access to a user's camera or microphone). Encrypted media extensions, application cache and device motion/orientation will follow soon. The rationale being that all these features deal with sensitive data that is otherwise being openly transmitted, over an increasingly vulnerable web. The timeline for deprecation of remaining features is still under discussion.

Simultaneously, many recent features that could be vulnerable to attacks are only supported in HTTPS. For example, service workers, push notifications and adding a site to the home screen (all of these originating from mobile native apps, and now being heavily used in progressive web apps). But they also include credit card autofill and the recently introduced payment request API

Besides developer features, Google is also trying to change the browsing experience to raise security awareness among users. For instance, Chrome will explicitly call out pages with non-secure forms requesting financial or sensitive information via a "Not Secure" string (as of version 56, scheduled for January 2017). Interested organizations can preview the UI changes by setting Chrome's canary flag #mark-non-secure-as.

Other recent advances have significanty reduced friction on the move to HTTPS. Emily Schechter, product manager for Chrome Security at Google, in a recent talk at the first O'Reilly Security Conference in Amsterdam, highlighted the importance of new service offerings by Let's Encrypt and CloudFlare. The former provides free certificates and an automated installer (increasingly important in today's DevOps world) on a sponsor and crowdfunding model strongly supported by famous Coding Horror blogger Jeff Atwood. CloudFlare, a CDN provider, now offers a free SSL tier, making it more affordable.

Overall Schechter's talk provided a solid business case for HTTPS, stressing the idea that HTTPS is a minimum baseline security level for any site and providing evidence that traditional challenges for HTTPS are no longer applicable, for the most part.

Guardian and BBC are among the organizations that have been persuaded to move to HTTPS, at least partially due to Google's push. Schechter referenced other success cases such as and AliExpress that not only improved security but actually grew their conversion rates using HTTPS-only features (plus Google will favor HTTPS content in their SEO algorithm).

Data from both Chrome and Firefox shows more than 50% of page loads worlwide are now HTTPS. 

Rate this Article