Version 68 of the Google Chrome browser, announced for the beginning of July 2018, will introduce a new treatment of websites that do not use TLS (or its predecessor, SSL): it will mark them as “NOT SECURE”.
The whole story has been following a familiar path for years, and it is not just Google that pushes the “TLS-isation” of the web, just take a look at our article here.
As Chrome is one of the most widely used browsers in the world whose practices are closely followed by others (Mozilla, Microsoft, Apple, etc.), it is clear that this seemingly technical change carries significant widespread implications.
Implications for owners of any web content (from news portals to web services):
- Urgent adoption of TLS-only access (HTTP is legacy technology!) in order to retain SEO features and at least the same level of content popularity;
- Consequent consideration of “performance impact” and increased resource requirements in comparison with clear-text HTTP traffic that TLS will inevitably bring about;
- Review of server certificate management mechanisms (Entrust Solutions) and optimization of their costs, all the while ensuring the “A rating” (also connected with SEO and trust in service), for example, take a look at https://www.ssllabs.com/ssltest/
Implications for network content security, that is, IT operations within organizations:
- TLS is great for privacy, but TLS interface causes a lesser visibility of content in antivirus and other network-level analyses. Under conditions when >90% of internet gateway traffic becomes TLS encrypted, URL, web reputation and antivirus content filtering will without implementing adequate tools become blind and useless.
- Careful consideration of impact on performance once TLS becomes the new internet gateway TCP where network equipment that provides some type of TLS security treatment is already implemented. Will such trends hinder existing security equipment and reduce its effectiveness?
P.S. Google intends to continue perfecting user experience on HTTP vs. HTTPS websites – take a look at Chromium Blog for more details.