Security Sense: The End of Non-Secure-by-Default Websites is Nigh

There’s a big change coming to website security and it’s going to have some really interesting ramifications. Let’s start here: is the website you’re reading this on “secure”? Now that’s a bit of a loaded term because it’s very hard to specifically define that word and then to answer it in the boolean fashion it implies. The measure by which most people would assess that question is the presence of a padlock next to the address bar and therefore, in this case as of the time of writing, the answer would be “no”, it’s not secure.

That assumption alone is a bit problematic; you’re reading a column on a public website which you’ve not authenticated to. From an integrity or confidentiality perspective, there’s not a whole lot of value in encrypting the page with HTTPS at least not compared to say, the necessity to encrypt passwords or financial transactions. Concluding the site is insecure on that basis alone would be hasty. Besides, the browser isn’t warning you about anything being insecure so we must be good, right? And that’s where it’s all going to change.

If you browse over to my personal blog at troyhunt.com and ask the same question you’ll conclude that it’s “secure”, at least with respect to seeing a padlock next to the address bar. And this is where the real heart of this story lies: secure sites are visually flagged as being secure while non-secure sites have no visual indicators at all. It’s a reflection of the web being non-secure by default and that’s where the change is coming.

We’ve been on a march towards HTTPS’ing more and more things and the latest step in that direction is Google’s announcement this week that as of January, they’ll “mark HTTP sites that transmit passwords or credit cards as non-secure”. This, of course, makes perfect sense and it means that so many of the cases where websites load login pages insecurely – such as Waitrose which I wrote about earlier this year – will begin showing explicit warnings to users. But that’s just the beginning…

That change has no impact on pages such as the one you see in your browser right now, but Google is throwing down the gauntlet on that front as well. In this week’s post, they also say that this move is “part of a long-term plan to mark all HTTP sites as non-secure”. What this means is that in the future you’ll look up at the address bar on a page loaded over HTTP and you’ll see the image at the top of this article.

This fundamentally changes the default treatment of non-secure sites as they move from a neutral security position to one with an explicit security warning. Google hasn’t put a timeframe on this yet, but they’ve been talking about it for a while now and the latest change around how the browser will treat these sites is going to mean a massive shakeup for the web. Fellow security researcher Scott Helme scanned the Alexa Top 1 Million sites last month and found that less than 14% of them actually served content over HTTPS by default. Now he also found that the HTTPS uptake was increasing rapidly which is good news, but clearly we’ve a long way to go yet.

So have a think about that the next time you’re browsing around the web and consider how much of what you’re looking at will begin being explicitly flagged as insecure unless they adapt. It’ll happen, it’s just a matter of time.