BT

Google Pushing for HTTPS

by Manuel Pais on Dec 11, 2016 |

Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS. Geolocation over HTTP has been deprecated since version 50 of the browser and so has getUserMedia (access to a user's camera or microphone). Encrypted media extensions, application cache and device motion/orientation will follow soon. The rationale being that all these features deal with sensitive data that is otherwise being openly transmitted, over an increasingly vulnerable web. The timeline for deprecation of remaining features is still under discussion.

Simultaneously, many recent features that could be vulnerable to attacks are only supported in HTTPS. For example, service workers, push notifications and adding a site to the home screen (all of these originating from mobile native apps, and now being heavily used in progressive web apps). But they also include credit card autofill and the recently introduced payment request API

Besides developer features, Google is also trying to change the browsing experience to raise security awareness among users. For instance, Chrome will explicitly call out pages with non-secure forms requesting financial or sensitive information via a "Not Secure" string (as of version 56, scheduled for January 2017). Interested organizations can preview the UI changes by setting Chrome's canary flag #mark-non-secure-as.

Other recent advances have significanty reduced friction on the move to HTTPS. Emily Schechter, product manager for Chrome Security at Google, in a recent talk at the first O'Reilly Security Conference in Amsterdam, highlighted the importance of new service offerings by Let's Encrypt and CloudFlare. The former provides free certificates and an automated installer (increasingly important in today's DevOps world) on a sponsor and crowdfunding model strongly supported by famous Coding Horror blogger Jeff Atwood. CloudFlare, a CDN provider, now offers a free SSL tier, making it more affordable.

Overall Schechter's talk provided a solid business case for HTTPS, stressing the idea that HTTPS is a minimum baseline security level for any site and providing evidence that traditional challenges for HTTPS are no longer applicable, for the most part.

Guardian and BBC are among the organizations that have been persuaded to move to HTTPS, at least partially due to Google's push. Schechter referenced other success cases such as Housing.com and AliExpress that not only improved security but actually grew their conversion rates using HTTPS-only features (plus Google will favor HTTPS content in their SEO algorithm).

Data from both Chrome and Firefox shows more than 50% of page loads worlwide are now HTTPS. 

Rate this Article

Relevance
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss
General Feedback
Bugs
Advertising
Editorial
Marketing
InfoQ.com and all content copyright © 2006-2016 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.