Being wrapped up daily in the world of enterprise scale systems, large application deployments and sophisticated cloud infrastructure, I don’t really think about HTTPS or SSL certificates. You might think that’s odd, but at Swarm we just include HTTPS as part of our technology stack. It’s become an assumed part of the package for enterprise applications and mobile solutions alike. That said, a few years ago, encrypted connections were only considered essential for eCommerce and online banking. But with data security and protection being at the forefront of everyone’s minds, times change and suddenly secure websites and HTTPS are more relevant than ever. What’s interesting though is that a significant chunk of the public facing internet hasn’t quite got there yet.
So if over half of the top 1 million websites on the internet do not use HTTPS by default (i.e. redirect HTTP to HTTPS), what can we do about it?
Alright, let’s take a step back. Maybe you don’t know what HTTPS is? Or maybe you’ve heard your colleague mention it and you know it’s important but don’t know where to start? Crash course time:
This is a secure site. Swarm built it, so of course it is! In the newer versions of Chrome, Safari, Firefox and other modern browsers, visiting www.swarmonline.com will show “https” in front of the address. They will often show the text “Secure” and/or a padlock icon next to the URL to indicate your connection to the site in question is secure. This means your connection and all traffic you send to the site is encrypted and the website is actually owned by SwarmOnline Ltd. Excellent!
This is not a secure site. Well that’s not entirely true – political affiliations aside, the Fox News website won’t “steal your credit card data” as the warning message may suggest. But, by not having HTTPS configured, your connection to the Fox News web server is not encrypted and there is no way for you to trust (via the URL alone) that this is the real version of the Fox News site you are looking at.
It’s not always as simple as that though… Because that would be far too easy! Have a look at this site (sorry Selenium…):
Notice that the URL does contain “https” but Google Chrome still says the site is insecure… There are a few potential reasons for this. The main one – Mixed Content.
You can see that the developer console (above) tells you why the connection to the site is not fully secure. We are loading the main site securely (over HTTPS), but links from that site (in this case to http://www.google.com/cse – Google’s Custom Search engine – I saved you a click…) do not use HTTPS therefore the site is not considered fully secure. The worst part is that in this example, this link to Google actually redirects to an HTTPS link of the same name, meaning that Selenium would just need to update the URL on their side! Very Frustrating.
I can already see your eyes rolling – This isn’t important to you. You have already secured your site. You don’t need HTTPS. No, trust me, it’s still relevant. Keep reading…
Google Chrome is the most popular browser in the world with over 55% market share as of June 2018. Chrome is being updated today (24th July 2018) to version 68 which, amongst other changes and fixes, adds the “Not secure” label to all sites that don’t use HTTPS. This means that users will get messages from their browser saying that many sites they are accessing are “Not secure” – surely that can’t be good for business?
You are now up to speed. What should you do about it?
As a consumer
Remain vigilant (I’m sure you were already). This change in Chrome will undoubtedly push more sites to use HTTPS but, in the meantime, be mindful of the URLs you access and if they use valid HTTPS. Using a site without it doesn’t mean it is inherently insecure, but would you be happy entering your credit card details on there?
As a Web Site/Application Owner
You might already have HTTPS on your site. If so, good for you (remember to keep your certificate up to date). But if you don’t have HTTPS on your site, get it sorted! It’s pretty easy nowadays. You can buy an SSL certificate from many sites online (like you would buy a domain name), but sites like CloudFlare and LetsEncrypt offer free SSL certificates and instructions to get your site using HTTPS.
As a Sysadmin/DevOPS/Jack of all Trades Type Person
You have a lot of applications to manage? Let me guess, most of the external ones have HTTPS but internal ones… don’t? That would be too time consuming and expensive!
Well, maybe. Swarm has worked hard over the past 18 months to automate our internal and cloud infrastructure so we can offer basic services (including HTTPS) over our entire technology stack without significant cost or time investment. Internally we have had success automating LetsEncrypt and externally (on our AWS Cloud environment) we generally use Amazon’s excellent Certificate Manager which, with a little magic, manages all of this for you.
We can’t secure all the sites on the internet but we try to secure as much as we can on our internal and external systems because our data and the security of those systems one of the most important aspects of what we do. In the world of GDPR and the big bad world of the internet, many people are out to find vulnerabilities in your website (have you checked out #HackTheHive?). So make sure to secure your site a little more and maintain the trust of your customers!