Google Pushes HTTPS with Google Canary Feature

On the heels of an announcement last summer that websites using HTTPS will receive a SEO boost, Google is taking more steps to encourage a more encrypted web.

Google created a version of Chrome with a feature designed to warn users when they visit unencrypted web pages. For now, this feature is only available on Google Canary, a test version of Chrome, and a user has to manually enable the feature. But this is expected to become the norm as the Chrome Security Team plans a transition for Chrome later this year.

Warning Messages Educate Users

The feature allows users to receive a visual alert when navigating to an HTTP-secured website so they know the moment they are exploring unencrypted territory.

“When there is no data security, the UA (user agent) should explicitly display that, so users can make informed decisions about how to interact with an origin,” Chris Palmer from Google’s Chrome Security Team said.

In Google Canary, a user has to activate the “mark non-secure origins as non-secure” option, and when a user navigates to a HTTP site, they will receive a warning icon in the address bar: a gray padlock with a red ‘X.’ This icon alerts the user about the situation, and at that point the user can make a decision whether to proceed with unencrypted browsing or move to a different webpage.

Google’s plan to inform users about unencrypted browsing may already be working. CNET published a story about this same topic at the end of January and specifically highlighted several popular websites that, at the time of publishing, did not have HTTPS connections. Out of the seven websites, four have already made the switch to HTTPS.

Google’s Visual Cues for HTTPS Connections

The development of Google Canary is further evidence that Google values HTTPS technology.

Currently, Google Chrome produces a green padlock visual cue for websites that use HTTPS. More noticeable visual cues are given to websites that go through a more rigorous validation process when obtaining SSL Certificates. For example, websites that are secured with an Extended Validation certificate receive a green, branded address bar.

Authentication Is Critical for Trusted Web Browsing

Google’s proposal is interesting, but the authentication component—which is critical to trusted web browsing—still needs to be addressed.

Some may say obtaining and setting up SSL Certificates is difficult, and there should be an open system in order to make moving from HTTP to HTTPS easier and faster. But there are existing trusted Certificate Authorities that make the process simple. DigiCert, for example, offers around-the-clock customer support, issues certificates in a matter of minutes, and provides a number of tools to streamline the process. Validation is often the longest part of the process, and this is why some may say obtaining certificates is difficult, but the validation process is the most important piece of the certificate issuance and it is also the main way CAs can weed out fraud.

Some security professionals may also say certificates should be free, but obtaining a certificate from an open Certificate Authority poses serious risks in the immediate and distant future of the Internet. Free certificates may result in lack of identity validation, which still leaves web users vulnerable to phishing.

The validation portion of the certificate-obtaining process is crucial for trusted web browsing. Take the validation required for the basic server SSL Certificates for example.

Certificates validated only using domain validation are the lowest level of assurance available from commercial CAs. The validation includes the following:

  • A check to ensure the WHOIS record reflects the domain owner.
  • A verification that the contact at the domain approves the request, or that someone evidenced control over a site hosted at the domain.

The last check is often automated. While valuable, this level of validation by itself is insufficient for safe browsing. Without additional checks on the entity controlling the domain name, the certificate fails to prove that the certificate was actually authorized.

High-assurance validation is the only way to ensure trust across the web. The benefits include more extensive validation checks on a domain, organization, and authorization level, as well as reviewing the additional documentation required for Extended Validation certificates.

A more encrypted web using HTTPS could provide many benefits to users, but without examining authentication procedures and having proper validation checks in place, web browsing may not be as reliable as hoped for. Moving to HTTPS is only half the solution. The other half lies in authentication checks and high-assurance certificates.

Posted in Browser, Encryption, Privacy, Security, SSL, Uncategorized