It's time to move to TLS!
Post Reply
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
11-01-2017, 06:52 PM
Exclamation It's time to move to TLS!
No, this isn't a joke. This is a serious thread, and it really applies to everyone here with a website, not just TTA (which is why I put it in this forum instead of the suggestion forum). But it especially applies to TTA as well!

A bit of background info...

1. SSL is dead, long live TLS!

TLS is the successor to the now obsolete SSL standard. Despite this, we still say SSL when we really mean TLS, and we continue to call security certificates SSL certificates, even though SSL is official dead, buried, and cremated as our wise ex-leader would say. LONG LIVE TLS!

2. The HTTP is heading towards obsolescence.

The HTTP is no longer considered best practice by Google and Mozilla, two of the largest and most influential companies in the tech industry. This has already started, and I will show you using screenshots below. First I'll show you a TLS website, using my own as an example, compared to an insecure website:

[Image: tD6VzHB.png]
[Image: H2fIFwf.png]

[Image: DIM5jaG.png]
[Image: TUzxytI.png]

Notice that Chrome now issues a direct warning not to send passwords etc over insecure websites, but also that Firefox puts the connection type in a coloured font. Also, Chrome will no longer display your favicon in the address bar, and instead shows an "information icon" for lack of a better phase. Finally, Chrome has also expanded the area to the left of the address when on a secure website to make it more obvious what type of connection you are on. And this is only the first phase, soon this is what will be displayed instead:

[Image: ssl_future.jpg]

In a moment I'll show you this is their clear policy, but before we do that - remember IE11? Let's have a look at just how different a HTTPS page looks in IE11:

[Image: qHuw4aE.png]

Opera 42 is only slightly more obvious than IE11.

3. Google Policy

Now, how do we know this is Google's policy? Well it was proposed in December 2014 by Chris Palmer, of the Chrome Security‎ Team, and you can read it here. An announcement on Google Security Blog dated 8 September 2016 provides the full picture. I have reposted it below and it is vitally important you read it:

Emily Schechter | Chrome Security Team Wrote:Moving towards a more secure web

[Updated on 12/5/16 with instructions for developers]

Developers: Read more about how to update your sites here.

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

[Image: DX1R2fL.png]

Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.

A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.

Studies show that users do not perceive the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. Our plan to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.

In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

[Image: img.png]

We will publish updates to this plan as we approach future releases, but don’t wait to get started moving to HTTPS. HTTPS is easier and cheaper than ever before, and enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. Check out our set-up guides to get started.

4. Mozilla Policy

The Mozilla Foundation is also pushing the move to phase-out the HTTP protocol. They announced this on 30 April 2015:

Richard Barnes | Mozilla Security Blog Wrote:Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.


5. What does all this mean?

HTTP is officially seen as depreciated by Google and Mozilla. I can't stress that enough. It's not going to be good enough to wait until throws up warnings for everyone, the fact is that it's happening now. They are actively working to fully depreciate the insecure web. And that's a good thing.

As many people may know, HTTPS requires a heavier server load compared to HTTP, and also uses a bit more bandwidth client-side. The result is slightly slower websites with higher server requirements. That's one reason why you see so many websites which enforce the HTTP protocol, even when they have a security certificate. Ebay is an excellent example, as are News websites - and of course personal blogs and forums like this. Chrome is already warning users NOW: "do not enter passwords on this site".

Later this month chrome will put "Not secure" in grey in the address bar of all HTTP websites, and later this year it will be in red as you saw above.


My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
[+] 3 users Like Aractus's post
12-01-2017, 07:45 PM
RE: It's time to move to TLS!
I learned about this after I noticed the "Secure" wording next to the padlock in Chrome. So the change has had the exact intended effect which is to get people to notice this change in policy. As I said this is something to take very seriously because in a matter of just days now this is what this forum will look like in Chrome:

[Image: qkQzYfF.png]

Before transitioning to this sometime in the coming months:

[Image: ssl_future.jpg]

This will affect every website using HTTP, however they are going to begin by targeting any website that has a form on it of any kind for users to enter data, which means any forum or Wordpress website, etc, that has a log-in form will be targeted immediately, while websites that are just static pages will targeted later. We'll have to wait and see when Mozilla is gong to do similar things in Firefox, but I imagine they want to offset the implementation of this so that the direct impact on hosts and datacentres is mitigated somewhat. This is a GREAT move in my opinion, it doesn't solve the issues with CDN SSL deployment, and I would hope that robust standards could be applied to CDNs in the future to ensure that they cannot know your private key.

For many people this will mean moving hosts, and for many other websites like this one it will undoubtedly mean higher resources are needed on the server.

Moving to HTTPS now is of course especially important if you have a business website with a contact form as Chrome is already warning customers not to enter any sensitive information on your website like this:

[Image: TUzxytI.png]

And that does not look very professional

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
13-01-2017, 01:53 PM
RE: It's time to move to TLS!
(11-01-2017 06:52 PM)Aractus Wrote:  HTTP is officially seen as depreciated by Google and Mozilla.

Thanks for the info.

N.B. The word you want is deprecated.

Skepticism is not a position; it is an approach to claims.
Science is not a subject, but a method.
[Image: flagstiny%206.gif]
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes Chas's post
13-01-2017, 06:52 PM
RE: It's time to move to TLS!
TLDR. How is this going to affect pornhub and xhamster?

"If we are honest—and scientists have to be—we must admit that religion is a jumble of false assertions, with no basis in reality.
The very idea of God is a product of the human imagination."
- Paul Dirac
Find all posts by this user
Like Post Quote this message in a reply
29-01-2017, 07:30 PM (This post was last modified: 29-01-2017 07:40 PM by Aractus.)
RE: It's time to move to TLS!
(13-01-2017 01:53 PM)Chas Wrote:  Thanks for the info.

N.B. The word you want is deprecated.

Haha, serves me right for typing it while intoxicated!

Now guys, Firefox has begun the warnings:

[Image: LSca6fH.png]

This will appear on all pages with the login box - to see it, open Firefox, sign out and log back in. Another way to see it is to go to the search page, click submit and then press back on the browser. As mentioned in the OP, Mozilla dn Google are specifically targeting pages that have logins and other input boxes that contain personal information like your address, or god-forbid your credit card. You can see that its warning is specific for logins:

[Image: G2zuWhM.png]

But they will be moving to showing your website this way for ALL pages within just a few months. What's interesting about this is that this is the first time the insecure icon has ever been used for HTTP pages, it is usually used to indicate a problem with the site's TLS connection.

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
Post Reply
Forum Jump: