by Ross Foley, Cyber Security director, PwC
For as long as most of us with even half an eye on internet security can remember, the message has been clear: if you are entering sensitive information on a website make sure the connection was over the secure HTTPS protocol... or in other words look for the padlock in your browser!
However, during general browsing whether a website was connected over http or https, was likely an irrelevance. From here on in, that changes...
Accounting for nearly 60% of all browser based traffic, Google Chrome is the world’s most popular desktop browser and from 24th Julywith the launch of v.68, Chrome will brand every site connecting over HTTP as “Not Secure”, but what does this really mean?
When connecting to a site over standard HTTP, data remains unencrypted, which under the right circumstances, allows this traffic to be intercepted, read or even modified without the user’s knowledge. Known as a “man in the middle” attack, this can leave unsuspecting users susceptible to being redirected to malicious sites, have cryptocurrency mining software embedded in the websites the visit or simply have their user credentials breached. By highlighting any and all unencrypted traffic so visibly, Google aims to drive up the level of security online.
However, as the encrypted HTTPS (the S standing for Secure) protocol has largely been used only on websites where sensitive data is being transferred, currently only one in two sites currently default to the encrypted standard.1
While in the long term Google will undoubtedly force organisations to raise the bar in terms of security, in the short term it may lead to confusion and even alarm for many users. Users who may not be aware of the change will now simply be faced with the “Not Secure” message on many of the websites which they visit regularly
So from today, what do organisations need to do in order to adapt to the changes?
Start preparing for HTTPS - Quite simply, even if you do not transfer any sensitive data over your website the reputational impact of being branded as Not Secure cannot be underestimated, so start making plans to shift sites across sooner rather than later.
Brief your social media and comms teams immediately - If you are not using HTTPS then expect to be contacted by customers asking about the Not Secure message on their browser, make sure your social media teams are briefed with an appropriate response.
For users, much of the old advice still rings true. When you are transferring any sort of information make sure you are using a secure HTTPS connection. Similarly, when you are using a site flagged as Not Secure, be more vigilant, particularly when using a public wifi such as those in coffee shops or hotels, where a man in the middle attack may be more likely. In these situations using a VPN can also add an extra layer of protection to your traffic, even when using HTTP sites.
Today it may only be Google that is publicly flagging HTTP sites as “Not Secure”, don’t expect other browsers from major players such as Microsoft, Apple or Mozilla to be far behind. Make no mistake, today marks a watershed moment in the general standard of security online and one which in the long term can only make the average user more secure... but as always with security we all need to be prepared for the short term user impact that may be felt.