BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Google Pushing for HTTPS

| by Manuel Pais on Dec 11, 2016. Estimated reading time: 2 minutes |

Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS. Geolocation over HTTP has been deprecated since version 50 of the browser and so has getUserMedia (access to a user's camera or microphone). Encrypted media extensions, application cache and device motion/orientation will follow soon. The rationale being that all these features deal with sensitive data that is otherwise being openly transmitted, over an increasingly vulnerable web. The timeline for deprecation of remaining features is still under discussion.

Simultaneously, many recent features that could be vulnerable to attacks are only supported in HTTPS. For example, service workers, push notifications and adding a site to the home screen (all of these originating from mobile native apps, and now being heavily used in progressive web apps). But they also include credit card autofill and the recently introduced payment request API

Besides developer features, Google is also trying to change the browsing experience to raise security awareness among users. For instance, Chrome will explicitly call out pages with non-secure forms requesting financial or sensitive information via a "Not Secure" string (as of version 56, scheduled for January 2017). Interested organizations can preview the UI changes by setting Chrome's canary flag #mark-non-secure-as.

Other recent advances have significanty reduced friction on the move to HTTPS. Emily Schechter, product manager for Chrome Security at Google, in a recent talk at the first O'Reilly Security Conference in Amsterdam, highlighted the importance of new service offerings by Let's Encrypt and CloudFlare. The former provides free certificates and an automated installer (increasingly important in today's DevOps world) on a sponsor and crowdfunding model strongly supported by famous Coding Horror blogger Jeff Atwood. CloudFlare, a CDN provider, now offers a free SSL tier, making it more affordable.

Overall Schechter's talk provided a solid business case for HTTPS, stressing the idea that HTTPS is a minimum baseline security level for any site and providing evidence that traditional challenges for HTTPS are no longer applicable, for the most part.

Guardian and BBC are among the organizations that have been persuaded to move to HTTPS, at least partially due to Google's push. Schechter referenced other success cases such as Housing.com and AliExpress that not only improved security but actually grew their conversion rates using HTTPS-only features (plus Google will favor HTTPS content in their SEO algorithm).

Data from both Chrome and Firefox shows more than 50% of page loads worlwide are now HTTPS. 

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT