The importance of a padlock

In January 2017 Google released the latest version of its Chrome browser, the 56th version no less. And with it was a new feature to actively identify website pages containing password fields such as login and checkout pages, which don’t use encryption and instead transfer data over the https:// protocol. Here our senior web developer Tim Mead makes sense of it all.

Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across a network in plain text. In a time of an increased use of open public Wi-Fi spots this is a big deal.

Up until this point, browsers such as Chrome alerted users when they were using a secure site (one using the secure protocol https://), but didn’t label those which weren’t secure. The upshot of this was that users had no idea whether a given website was secure or dangerous (you can find out more about this our ‘further reading’ index below *1).

A paper produced last year by Usenix on ‘rethinking connection securing indicators’ showed that many people don’t necessarily understand the security indicators such as the green bar and/or padlock symbol in the browser address bar or the implications of not using a secure connection (further reading *2).

So, the question is will website owners take note and action the changes? Google plans to alter its ranking system to take HTTPS into account, meaning if you don’t address the issue soon, you’ll find your search engine ranking dramatically reduced. Google confirmed this fact in an announcement saying: “For these reasons, over the past few months, we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal…we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” (further reading *3)

And it’s not just Google who see the future of the web being delivered via HTTPS, Apple and Mozilla have also got on board with the idea so it becomes less of a choice and more of a necessity as we move towards a more secure web and the advice is: don’t wait. (further reading *4)

With plenty of web based companies getting on board sooner rather than later, the move over to https:// is an inevitability and there are lots of online guides available explaining the steps of migration. The vital technology required in this process is a SSL (secure socket layer) certificate, which must be obtained from a company known as a ‘Certificate Authority’. They will go through several identification processes to verify the certificate is issued to a valid company so users can trust the site they are on. The SSL shopper provides details on how to order an SSL certificate.

However, there are occasional breaches of security from Certificate Authorities, which do bring this process into question, most recently by Symantic one of the biggest SSL providers. One thing that has changed over the last few years in relation to website security is the rise of the free SSL certificate. Previously, to set your website up to use https:// you would have to spend not an insignificant amount of money each year to purchase an SSL certificate (the more fancy ones which show a green address bar can cost hundreds of pounds). Until recently, there was a handful of companies offering SSL and there was no free option. However, companies such as CloudFlare and LetsEncrypt now offer SSL for free, so there’s now even less reason not to secure your website and deliver it over the https:// protocol.

Whichever way you look at it, the future of the web is via https://

The importance of a padlock

Cookies and EU regulation – what you need to know