Unsecured ways of web browsing are fading away at accelerating pace. Technically this is done thanks to the increased deployment of HTTPS on the of web. Data indicates that above 70% of websites are now accessed via this secured protocol, those numbers quickly increasing. This is an important milestone in information security. How did we get here?
It was a long process, involving years of security research, engineering, awareness, and incentive building. Public pressure played a significant role as well. But to fully appreciate the underlying processes, I’ll focus on the technical foundations. There are three important factors of this evolution that are worth mentioning:
- availability of affordable HTTPS certificates thanks to providers such as LetsEncrypt,
- flagging of connection to websites as “Not Secure” by major browsers (Chrome 68 makes it the default as of July 2018),
- evolution of the web, driven by standardisation of browser mechanisms.
In simple terms, HTTPS guarantees three important aspects:
- the user can be sure of the identity of a website,
- data integrity is protected from tampering during - the user-server connection, data confidentiality is guaranteed.
LetsEncrypt was a game changer since it offered certificates free of charge. Affordability and simplicity of this process on the one hand, and adequate computing performance of modern servers on the other has allowed for an aggressive push for a wide adoption of HTTPS.
Why would the system owner want to setup HTTPS? Aside from the altruistic desire of making web browsing safer for users, there are other motivating factors. You can think of them as of a “carrot and stick” approach.
Not Secure flags
Web browser vendors started marking websites accessed via HTTP with a “Not Secure” in the URL bar. The associated potential negative impact on the user trust towards a website is an understandable consequence. This in particular may serve as a motivation for decision makers (owners, managers, etc) and developers. Sticking to HTTP may be unsustainable.
That’s not all. While the rise of LetsEncrypt and browser “flags” are among the crucial strategic motivators and are relatively well-known, this is not the case with another important component of the web ecosystem. Standardisation.
Modern Web features require HTTPS
Modern web features make browsers powerful. Good examples are:
- mechanisms such as the ability of using low-level hardware (e.g. sensors),
- ability of making connections outside internet even, with Bluetooth or USB.
All from the level of a website the user is visiting. These features are powerful and sensitive. So they are made - by design - available only via secured channels. Technically speaking, this is done by standardising browser features to function only when accessed within the “Secure Contexts”. Among the required elements to meet this level is a HTTPS connection.
Consequently, to make a modern web application, HTTPS therefore becomes the norm. The initial element of the setup, rather than the last one. Consequently, the adoption of HTTPS will be further accelerated by modern web design patterns. Developers themselves will help making this happen.
Reframing this - it can be understood as using the web and “network effects” to further increase the adoption of secure ways of web browsing. It is perhaps similar to incentivising users to install security updates by shipping new emoji packages.
With a broad adoption of secure connections via HTTPS, many security issues of the past will be solved. This process will take some time, but not too long. This aspect of security and privacy will be in a good shape soon. We will all benefit from it.
Appendix - some web mechanisms requiring HTTPS (“secure contexts”)
Secure Contexts becomes the norm for powerful features. While there is no place listing the browser mechanisms requiring secure contexts / HTTPS, I list some good examples below: