Google Takes Another Step Forward in Cleaning Up The Security of the Internet

Good for Google, after 40 years of inaction by the IT industry, they decided to mark sites without the correct digital certificate on…

Google Takes Another Step Forward in Cleaning Up The Security of the Internet

Good for Google, after 40 years of inaction by the IT industry, they decided to mark sites without the correct digital certificate on HTTPs as a security risk. Why? Because we need to dump HTTP. Not just because it can be sniffied — which is bad in itself, but because that sites should identify themselves properly. A site without a certificate should be aged out of the Internet, forever. It is unbelieveable that some companies still say .. “Our site is okay without a certificate, as we flip to HTTPs when there’s a payment” … and miss the point there is almost not trust involved in a site without the certificate.

And so Google Chrome — which has over 70% of the browser market (Figure 1), and which is rising all the time— has the clout to move the industry, and so we have seen a massive ramp up in the correct usage of certificates. Those who have incorrect certificate details are marked as a security risk.

Figure 1: Market shares for browsers

All that is required now, is to download the Let’s Encrypt application, run it on the trusted server, and you have a new key pair, and a trusted certificate — no payments required. So after years of paying for a certificate, for the renewal of the certificate on my own site, I just turned to Let’s Encrypt [here]:

Within minutes, I had a shiny new (and trusted) certificate.

And why not? If you user base is still running an unpatched Internet Explorer 4.0 on Windows XP, then migrating to HTTPs might be difficult, but few browsers in the world now struggled in support a secure connection.

So Google are moving the industry one step forward, and will soon be blocking the mixture of HTTP and HTTPs, and which can be so confusing. On a well-managed site, you basically just redirect “HTTP” to “HTTPs”, and now Google wants to make sure that HTTP is consigned to history. With HTTP, too, a malware can easy install a backdoor/proxy on communications and spy on the user.

So, Chome 80 will automatically redirect audio and video to HTTPs, and then Chrome 81 will start to block some content with HTTP, with a final blocking in a future version for all mix HTTP/HTTPs.

Conclusions

One must ask … “Why did it take so long to do this?”, and “Can we next clean-up the complete untrustworthiness of email?” Internet security is basically flawed, and leaves the door open to so many security threats.