HTTPS and Chrome's Security Push

Written by Joseph Poppy on 10/08/2018

Last month (July 2018 if you are reading this far in the future), Google Chrome started marking all non-HTTPS sites as not secure. The main reason for this is because all non-HTTPS sites are insecure, so there is some logic to it. It was part of a plan announced way back in 2016 that sought to improve security across the Net.

The first stage of this was to mark all HTTP sites that collect passwords or credit card details (and the like) as being insecure. Later, this branding was extended to any site containing fields users could input data to, as well as any HTTP site visited in Incognito mode. As of July 2018, any site not using HTTPS is to be marked as not secure.

So, is this a positive promotion of good security hygiene or diversion from other cyber security issues? And what’s the actual impact to your organisation? Well...

We love acronyms

HTTP stands for HyperText Transfer Protocol. It is - in short - an application layer protocol over which information can be sent between a web server and your browser. There’s a bit more to it than that involving more technical words, but that’s the general gist. Basically, HTTP is what everyone thinks of when they think of ‘the internet’.

The problem with HTTP is that all information sent is done so in plain text. Plain text is just that: plain text. It is text that can be read easily by human eyes and very quickly by machines. This is particularly troublesome when it comes to submitting passwords or worse, credit/debit card details.

For this reason, HTTP sites are easy targets for Man-in-the-middle attacks.

Man in the middle attacks

Many of you are no doubt aware of this concept and know what it is. If you do, bear with us as we do some explaining (alternatively jump to the next heading). A man-in-the-middle attack (MITM) is where a communication between two points is intercepted by a third-party.

If I may opt for a somewhat personal analogy:

Imagine way back when in the days of school, where you wanted to send a letter confessing your ardent love for Jane during a particularly riveting history lesson. You poured out your heart in the form of the finest romantic poetry, before folding it up and passing it along with the expressed instruction of “pass this to Jane.” On its way to Jane, Frank picked it up and decided to give it a read. He was able to do so because you didn’t have the foresight to construct a secret language known only to you and Jane. Not only did Frank discover your feelings, he was also free to make any changes he wished (or perhaps worse, ridicule your poetry). The note arrived at Jane’s desk, she read it, your eyes met and then she never spoke to you again because you sent her a note comparing her to some form of unflattering animal... because Frank loved creating chaos.

By changing the contents of the note, Frank committed a man in the middle attack. Albeit an analogue one.

Painful memories aside, a MITM attack is one of the simplest and therefore one of the most common forms of attack. There are numerous different ways an attacker can listen in on a network, waiting for an interesting piece of data to snatch up and exploit. Some of these methods are extremely complex and are only found by a penetration test. User submitting information in HTTP, however, makes a cybercriminal’s job a whole lot easier.

More than just an S

A more secure version of HTTP was needed and thus the predictably named HyperText Transfer Protocol Secure (HTTPS) was born. Much like HTTP, HTTPS sends information between browser and website, only it incorporates a separate protocol TLS (Transport Layer Security), to make it secure. TLS (currently at version 1.2, though 1.3 is due very soon) encrypts all information, such as emails, electronic forms, card data etc. before sending it off. Even if a MITM (Frank) were to intercept it, it would be very difficult to decrypt.

This is largely down to a process known as the TLS handshake. This is where both the client (your browser) and server authenticates each other and selects the encryption method. The process tends to follow these steps:

  1. The client sends a “client hello” message along with a list of supported ciphers
  2. The Server says “alright mate? Here’s my list of supported ciphers” the preferred option is chosen (preferably the most robust and reliable)
  3. The server also sends its certificate to the client (the client checks this to ensure the server is who it claims to be) which contains the Public Key
  4. The client creates a Pre-Master Secret and encrypts it with the public key taken from the provided certificate and sends this back to the server as a test
  5. The server decrypts the Pre-Master Secret with the Private Key. From this, the client and server agree on the Master Secret and generate a new Session Key
  6. The client sends the server a “Change Cipher Spec” notification stating that the Session key will now be used for hashing, and there is to be no argument on the matter
  7. The server says "OK"
  8. Using this Session Key, secure communication can be established between the two parties, and all data sent back and forth will now be encrypted

This all takes place in the space of a few milliseconds, because computers are amazing. There are plenty of articles on the web that cover the TLS handshake in more detail so we won't go any more in-depth here (not least of all because it involves an insane amount of maths), but for anyone who's left thinking, 'huh?', there's a really good simple explanation on this ELI5 reddit thread.

Back to Google Chrome

All that handshaking and key wrangling is the cause of the green padlock in the top left corner of your browser.

Most sites adopted HTTPS years ago, particularly large retailers. Some however, have not. Not using HTTPS already puts a site at a disadvantage where Google is concerned, as it has a negative impact on SEO. In addition, now, anyone visiting a HTTP site will see alarming notifications that it is not secure, regardless of whether you’re processing inputted information or not.

In this age of cyber security awareness people are becoming more cautious. Those lacking in technical knowledge are likely to click away from a site as soon as they see this. Google Chrome is the most popular browser in the world. If you haven’t adopted HTTPS, you’re damaging your website in more ways than one. The SEO impact could have you losing visitors, and the security warnings could well be directing people away.

It's also convenient. HTTPS means we can keep data secure from those pesky men in the middle without usernames and passwords. Imagine having to remember a username and password for every single website you visit, even just to browse the news. Theoretically, HTTPS ensures the data is only readable by the two parties involved.

HTTP (note the lack of S) sites can still be visited and it’s certainly not the case that all HTTP sites are malicious and just by visiting one you’re going to have all your data stolen. They simply lack the extra layer of security, so users should beware just what they submit.

That green padlock allows you to browse in relative security, your data will be safe. Key word relative.

My site uses HTTPS so I’m safe from attack, right?

Well yes, but more importantly: no. Safer is perhaps a better word. It’s important to stress that the green padlock is only telling you that that site is using HTTPS. As such, communications between your browser and the server in question will be encrypted. The supplied certificate will also verify that the server is what it says it is. Which is all well and good, until you visit and see that little green padlock so feel confident in entering your Outlook credentials – because you didn’t double check! A verified server doesn’t mean it’s not a malicious server. In fact, our penetration testers have performed numerous successful phishing campaigns simply due to the fact users trusted our malicious sites because of the SSL certificate. You could still hand over all your cash to a scammer - HTTPS just makes sure that another scammer couldn't intercept your communication.

Also, there’s a reason TLS is on version 1.2. Previous versions (and the predecessor SSL) were known to have cryptographic flaws that broke their security, hence the need for an update. The current version is considered strong and reliable until hackers or security researchers prove otherwise, and then the industry will move on, probably to v1.3 (which is due to be released any second now). Using TLS makes it hard to intercept information, but not impossible.

Security is a never-ending race between the good guys and the bad, with hackers often finding ways around good security practices. Even with HTTPS in place, there are plenty of other vectors for hackers to try. That’s why security best practices (and companies like us) exist. For example, the best way to find your web infrastructure’s vulnerabilities is through a penetration test. We’ve written an interesting blog about what penetration tests are, but in brief: it’s an ethical and controlled hack. It lets you discover and fix problems like XSS vulnerabilities before a real-world hacker does.

Summing up

By displaying a security warning for all non-HTTPS sites, Chrome will undoubtedly drive forward HTTPS adoption, which is a good thing for cyber security in general. Ideally there should be education about what the little green padlock actually means and, crucially, what it doesn’t.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.