Announcements & Articles
february 10, 2018
Google Chrome Will Mark HTTP Sites ‘Not Secure’ from July 2018 with the Release of Chrome 68
For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.
As a part of this plan Google first rolled out with Chrome 58 when Google marked all HTTP pages as “Not Secure” if the web pages having password or payment credit card fields and the second stage with Chrome 62 version when Google marked all HTTP website pages opened in a private browsing windows as “Not Secure” and beginning in July 2018 with Chrome 68 release will mark all HTTP sites as “not secure” is the final stage.
In a recent announcement, Google has confirmed that when users visit every HTTP websites on Chrome they will be flagged as "Not Secure" from July 2018 with the release of Chrome 68.
Understand the common signs
Developers have clearly heard the call, according to Google, the results of the efforts have been:
So it’s clear that HTTPS is the wave of the future when it comes to internet security.
What is Certificate Transparency?
Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security.
What Is Certificate Transparency (CT)?
As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details.
In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information. The information is publicly audible. Once the CT logging is enabled, that information will be public and can not be deleted from the log. The following information appears in the CT log:
*Note: that much of this information is already publicly available for external sites.
The Security Triad:
If you haven’t noticed over the years all client web browsers have been implementing various security notifications regarding the safety of websites. Browser have become an Auditor of website security and show notifications to clients when web-surfing.
These notifications will typically show green bars or padlocks if everything is secure and safe. Yellow exclamation marks to make client awareness that the website is not as secure as it can be. Lastly red strikes if the browser deems something that is considered unsafe for users. The notifications will vary from browser to browser, but in the end these are all just disclaimers to inform web visitors on the safety of the website. Anything can contribute to these browser notifications including outdated server software configurations, Mixed or Insecure Content, or the certificate running on the website.
Now with Certificate Transparency there is a Web Security Triad. Security is not just limited to the Certificate Authority (Monitor) and Client browser (Auditor) like it used to be. Here’s what’s going on now.
CT is something that happens behind the scenes and is pretty much unnoticeable to browser clients navigating the web, but with its implementation there is a faster response and a extra tier to client safety with navigating the web.
For more information on Certificate Transparency feel free to visit https://www.certificate-transparency.org