TLS - Time to finally implement TLS everywhere

This blog was previously posted here: https://www.unic.com/en/competencies/experts-blog/2017/website-available-through-tls but has since been deleted.

Google Chrome – with a market share of 60% the currently most used web browser [^1] – will mark user entry on HTTP-pages as “Not Secure” from version 62 onwards (due October 2017). [^2]

It is a stated goal of the Chromium project (the open source community developing the Chrome browser) to mark all HTTP pages as “Not secure” in Chrome [^3]:

What is Transport Layer Security?

Transport Layer Security (short: TLS, formerly known as Secure sockets layer (SSL)) are cryptographic protocols that >“provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers.” [^4]

“The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:

The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session […]. The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional but is generally required for at least one of the parties (typically the server).

The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.” [^4]

In the past, using TLS was prohibitive due to the complex installation of expensive certificates and limited compute power to encrypt all traffic. Many websites thus implemented TLS only on sensitive pages, such as login forms. However, since a couple of years, TLS is used on more and more web pages and has become a must- have. Certificates are available from multiple sources (even for free) with plenty of information how to install and use them. The benefits for TLS-enabling a website are:

  • Clear signal to users that a company takes data privacy and protection seriously - even if there is only a low risk of data exposed.
  • TLS is good for page ranking (search engine optimisation - SEO). We don’t know how big the impact on ranking is when a site has TLS (in 2014, Google said that it is a “lightweight signal” [^5]). But it is a ranking signal. Therefore, as markets get more and more competitive, everything that helps websites to get better rankings should be done.The green symbol in the browser bar helps to prevent users from bouncing back to the search engine results page. Therefore, you get a positive user signal which is very helpful.
  • This - in turn - helps you gain users trust.

HTTP/2

TLS is also a pre-requisite to support (yet) another new protocol: HTTP/2 - a major revision of the 15-year old HTTP/1.x protocol. At a high level, HTTP/2: * is binary, instead of textual * is fully multiplexed, instead of ordered and blocking * can, therefore, use one connection for parallelism * uses header compression to reduce overhead * allows servers to “push” responses proactively into client caches

“Although the standard itself does not require use of encryption, most client implementations (Firefox, Chrome, Safari, Opera, Internet Explorer, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.” [^6]

Summary

So, to summarise: Using TLS on your website makes your page * Trustworthy * Responsible * Better ranked in Google * Future-proof for modern browsers and HTTP/2

We’re happy to help make your web property trustworthy and future proof - please contact us today!

Once TLS is completely implemented, we recommend to set HSTS headers to further improve the security of your website.

[^1] https://www.netmarketshare.com/browser-market-share.aspx? qprid=0&qpcustomd=0

[^2] https://security.googleblog.com/2017/04/next-steps-toward-more- connection.html

[^3] https://www.chromium.org/Home/chromium-security/marking-http-as-non- secure

[^4] https://en.wikipedia.org/wiki/Transport_Layer_Security

[^5] https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

[^6] https://en.wikipedia.org/wiki/HTTP/2