As you have probably heard by now, Google is apparently planning to change the way it flags websites according to their perceived security level.
To do this, according to media accounts, Google’s Chrome browser will display a red X adjacent to the Web address in the browser’s address bar. The existence of this marking is supposed to alert site visitors that the page they’re visiting doesn’t have the ability to encrypt their communications.
In one sense, this is a nice idea. It’s easier to misdirect a browsing session if the site isn’t encrypted and thus equipped with a security certificate. It’s also easier to intercept your browsing session when you are sending or receiving sensitive information if all you’re using is HTTP.
However, it’s important to note that just flagging a site as insecure because it doesn’t use encryption is no guarantee of security, nor is it an indication that there’s anything insecure or risky about a site that’s not encrypted. In fact, by sending traffic preferentially to encrypted sites, Google is placing smaller sites and sites run by individuals at a significant disadvantage without any offsetting benefit to Web users.
In effect, that red X can effectively be a scarlet letter of shame for websites that have no security lapses other than not supporting HTTPS. What’s worse is that Google is planning to enforce its security plans by demoting sites without HTTPS in its search rankings. Small sites and sites run by individuals may not feel that spending $200 per year to set up a site with Secure Sockets Layer (SSL) is worth the cost or even something they can afford at all.
What’s worse is that a site running HTTPS can still be insecure; it can still host malware and it can still lead to a phishing site. The only difference is that you’ll feel warmer and fuzzier while it’s doing it.
Still, in many cases insisting on an SSL connection provided by an HTTPS site can be very important. Any site that’s doing ecommerce in any way at all needs a secure connection. If you don’t see the green padlock or the green address bar on your browser, then you don’t want to use it to share anything that includes personal or financial information.
I’m not suggesting that using an SSL-enabled website isn’t a good idea, because it is. It’s just that using SSL, which is what you get with an HTTPS page, is no guarantee of security. Likewise, just because you don’t see an indication that a page is secure is no indication that the page is inherently dangerous in any way.
Spotting Insecure Websites Requires More Than Google’s Red X
For example, there are many sites where a company’s home page is just a plain HTTP page, but when you go to any ecommerce page to purchase something, then the pages switch to HTTPS. On those pages any personal or financial information exchanged should be secure and encrypted, assuming the site doesn’t have any other security lapses.
It’s the other security lapses that are the concern. Just because the link between your computer and the other website is encrypted doesn’t prevent data loss or compromise caused by poor practices, security breaches or larcenous employees. Unfortunately, just because your data gets to the other site securely, there are still a lot of ways it can be compromised.
Currently many sites, including major ecommerce sites, continue to use HTTP for access and only shift to encryption when it comes time to use your financial information. A good example of this practice is apple.com, which does not use SSL encryption until you get to the checkout page. Yet there’s nothing insecure about Apple or its website, but apparently according to the new policy, Google would demote Apple in any search rankings.
On the other hand, I could create a site such as https://www.imabadguy.com (this is not a real site) and it would get the green padlock from Google, which would enhance its search ranking on the assumption that it’s delivering enhanced security. Yet I could load the home page to all sorts of links to evil malware, viruses, phishing sites and the like, and still get better search rankings.
Fortunately, there’s more to security than encrypted websites. Google also keeps track of sites that contain malware as do many security software suites. I’ve noticed repeatedly that my security software will alert me if I try to browse to a page containing potential malware.
What is of potentially greater concern is if browser makers start trying more aggressively to enforce a requirement for SSL. Perhaps instead of a red X appearing next to the address bar, might we not see an alert that actually blocks access to such sites without affirmative permission? Imagine what might happen if you had to deal with a dialog box asking if you were sure you wanted to continue to an insecure site when all you were doing was trying to look at your cousin’s cat videos.
While information on the nature of your connection to any website is useful, that information is already there. It’s not clear that an additional layer of enforcement is necessarily a good thing.