Google's Security Update for HTTPS - July 2018

Google has openly expressed that with its search queries the objective is always about improving the user experience by delivering relevant search results that provide meaningful and useful information to the end user.  Underscoring this is protecting the user and website owner from unauthorised hacking type activity motivated by compromising confidential or private information for fraudulent purposes. 

Google has been flagging and advocating for over two years that sites adopt HTTPS encryption. (Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.)

With the release of Google Chrome version 68.0 in July 2018 websites that are not HTTPS secure will be flagged as follows:

Google HTTPs July 2018.PNG

The ramifications of not having a compliant website is bad for business, this will signal to existing, and potential customers there is possibly danger ahead. The point is whilst your website may be safe, it hardly inspires confidence and for the sake of adopting best practice it is negligent not to secure a website. Whilst it is likely not intentional the messaging or perception that may be drawn is that a website not secured by encrypted HTTPS has minimal regard to respecting and protecting the privacy and confidentiality of customers information. This is regardless of how innocuous intentions are, perception is everything. 

This also extends to simple forms that are not secured, website users should not provide personal information unless the form is protected with a reCAPTCHA check box. This assists in ensuring that forms on the website are provided by humans, and not an automated bot.

reCAPTCHA tool.PNG

As of February 2018 Google estimates that 68% of Chrome traffic on both Android and Windows, and 78% of Chrome traffic on both Chrome OS and Mac is now protected.  It was noted that 81 of the top 100 sites by traffic on the web use HTTPS by default. In New Zealand according to the authoritative source StatCounter Chrome browser has 60.21% market share, while in Australia 50.05% at May 2018.

 
StatCounter-browser-NZ-monthly-201705-201805.png
StatCounter-browser-AU-monthly-201705-201805.png
 

This is a serious concern, we have seen many websites that have taken no action on this issue; including a high profile personnel agency in Christchurch where not only are they requesting prospective candidates to submit resumes via insecure forms on an insecure website but some of their site reveals a security certificate that is not theirs. Having drawn these failings to them they have done nothing, and this remains the status quo as of writing this blog. (As of February 2019 their website still remains insecure.) This complacency presents a significant business risk. Fortunately most businesses take the protection of client information responsibly, and seriously. This results in an environment where website users may be confident that information shared is secure and safe.

At Move37 Consulting we can assist in successfully transitioning your website to HTTPS, please contact us.


UPDATE 25 JULY 2018

Google have implemented the security update with the release of Chrome version 68 on 25 July 2018, so websites that do not have an HTTPS certificate installed will report as not secure as detailed within this blog.


Gavin Bennett