Why Google’s ‘Distrust’ Campaign Could Lead to Much Safer Web Commerce

The stick-and-carrot campaign to get all websites to use digital certificates, encryption will be a game changer.

https

By and large, HTTPS—the encrypted form of delivering websites – has proven to be a very effective mechanism for assuring the legitimacy of websites, while also protecting the privacy of website visitors.

Many of the largest, best known companies have embraced HTTPS. And yet the vast majority of websites still use the much less secure HTTP protocol. That’s about to change. The top web browser suppliers—led by Google (Chrome), but with Mozilla (Firefox) and Microsoft (Internet Explorer) close behind—have started to use strong-arm tactics to compel universal adoption of HTTPS, and incentivize website publishers to stay current with HTTPS periodic renewals, going forward.

Given the general state of cyberinsecurity, there really is no such thing as too pushy here. So I completely approve of the move Google made on March 15 when the company began flagging websites running older versions of HTTPS, informing users that they were potentially unsafe.

For the time being this warning only appears on beta Chrome 66, the latest version of Google’s browser. But the search giant has announced plans to issue similar “distrust” warnings on an increasingly wider basis. By this time next year, all websites that don’t get on board with the current version of HTTPS will be outed, with increasingly harsh distrust labels to pop up anytime someone clicks on such sites.

For any website publisher who hasn’t been paying attention, this could be a rude awakening. This includes everyone from bloggers to organizations of all sizes and in all industries that choose to ignore the new, more robust form of HTTPS.

Private sector crusade

Amazingly, this assertive push to bake-in baseline web browser security has unfoldeds with no government regulators anywhere in sight. Google has so far marshaled this private sector crusade. A cynic might point to Google’s obvious ulterior motive: a safe web is a lucrative web. Google has 110 billion reasons to maintain and, if it can, improve, browser safety: consumer browsing drives the growth of online advertising revenue, its life blood.

The take-away: Without HTTPS, the Internet might have long ago deteriorated into an untenable environment, dominated by spoofed phishing pages and pervasive malware. That does not mean that phishing websites and corrupted web links are no longer a significant threat. It just means we’d be much worse off without it.

It’s taken a decade and a half for HTTPS to mature, and the timing is now ripe to jettison HTTP altogether, and to advance to HTTPS Secure Sockets Layer (SSL) as a de facto standard. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), come into play in the form of digital certificates issued by Certificate Authorities (CAs)—vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

This robust protection gets implemented by leveraging an encryption protocol called the public key infrastructure (PKI.) This all happens in the blink of an eye when you fill out a form on a certificated web page. The visual confirmation is the tiny lock icon, usual green, preceding the web page HTTPS address in the browser’s URL bar.

Google is all about the green lock and what it is doing now definitively affirms that the PKI ecosystem is scalable, reliable and trustworthy — despite problems that infamously beset prominent certificate authority (CA) vendors DigiNotar and Comodo a few years back, circa 2011.

Securing the Cloud and IoT

Google’s vote of confidence in HTTPS for all websites also reinforces a concept gaining steam in cybersecurity circles that  HTTPS and PKI might be adaptable beyond just securing and encrypting web browser sessions.

Some experts have begun advocating the notion that HTTPS and PKI could also help secure and pervasively encrypt business and personal data circulating in public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud; and probably even play a similar role in locking down the Internet of Things. The best way to keep information safe is encryption.

Consider that the CAs and the browser vendors have done a lot of heavy lifting over the past 15 years or so to stitch together HTTP and the PKI ecosystem. While many of us might take website authentication and encryption for granted, HTTPS and PKI have, in fact, engendered a level of trust in web browsing that has enabled Internet commerce as we know it today.

First things first: All company websites need to jump on the HTTPS bandwagon. Hopefully the stick-and-carrot campaign by the Chrome, Firefox and Internet Explorer will succeed in baking HTTPS and PKI into the core of the Internet. It will be exciting to see where we can take it from there.