Feeling insecure? If you have an insecure website, you probably should be feeling insecure. Google has been saying for a couple of years now that a more secure web is a major goal, and they’re about to get serious.
As of January 2017, Google Chrome marked any page that asks for passwords or credit card information without https as insecure. In October 2017, any page asking for information of any kind without https will be marked as insecure. Google intends to serve these warnings for all http pages “eventually,” though they haven’t specified their 2018 plans yet. Firefox is also serving warnings ar4eady. So if you’ve been waiting to get https for your website, now’s the time.
What is https?
HTTPS (Secure Hypertext Transfer Protocol) is a secure transfer protocol that sends information securely across the web. It’s different from HTTP, which is not secure. You might hear terms like “secure connection” or “secure portal” when people talk about http.
Any page that asks for credit card information obviously must be secure. Any page that transfers patient information or other sensitive data should also be secure. An ecommerce site has to be secure, and so does a patient portal. If you have either of these functions at your website, you probably already have https.
But many current websites are not in fact secure. If your website is mostly for patient education or brand awareness, you might not have bothered to add the extra layer of security involved in https. It used to be an expensive undertaking, and it might have been on your “someday” to-do list for years.
A page like the one you’re on now doesn’t require any particular level of security because we’re not collecting information. But insecure websites sometimes have both pages like this one and pages that need to be secure. Google’s crusade against insecure websites is responding to that kind of situation.
How can you make your website secure?
HTTPS is a hosting issue. That is, it doesn’t depend on how your website is designed, written, or built. It’s how you’re hosted. An SSL certificate must be installed on the server — the computer — that houses your website. Your hosting company should see to this for you.
That used to be expensive, but it no longer should be. We recommend WPEngine, which provides secure hosting at no additional cost. Use the link below to get a special deal from WPEngine.
The https = secure myth is just that. It doesn’t prevent exploitation, data exfiltration, or some MiTM attacks. The only thing it prevents is session hijacking and fixation attacks.
It did help to kill off FireSheep, but lead to many thinking that https means your website is secure. It’s a non sequitur.
Https is also dependant on the website setup, not just hosting. Including absolute URLs to http versions of resources will give mixed content warnings about the page not being secure. Yes, it’s usually down to the host to install the SSL/TLS certificate, but design and development must also take the switch into account.
A simple XSS vector can make TLS/SSL on your website redundant and provide no security whatsoever – one could use it, for example, to rewrite the post location of a form to act as a MiTM for account details.
From the view point of experience in ethical hacking.
That’s interesting. At this point, it makes sense to use the https protocol just because Google favors it. However, it’s disheartening to hear that it doesn’t offer much security. Is it just the fact that someone with skills who is determined to break in will be able to — just as is the case with your house, in spite of your locks and watchdog? Or do you think the https protocol should be changed?