22 Jan With HTTP on the Way Out, Total Encryption is on the Way In
Prepare yourself for the proliferation of 100% encryption across the internet.
According to a February 2016 Netcraft report, just 3% of all websites use SSL/TLS encryption. That leaves a staggering majority – 97% – of the internet unsecure. That figure is quite alarming considering we live in a day and age where cybercrime is becoming increasingly prevalent and increasingly sophisticated.
And everyone is a target—not just large corporations. While 90% of large organizations have suffered from some form of hack or data breach, 74% of small-to-medium sized business have also been targeted.
It’s because of this – in addition to a litany of other factors – that the entire web security industry is making a push for universal encryption. After all, web security isn’t a self-contained entity, it’s an ecosystem—one in which encryption plays a vital role.
The Browser Community has Begun Demanding that Websites Use SSL/TLS
One of the biggest proponents of the movement to encrypt the entire internet is the browser community. Previously, only sites in a handful of industries – eCommerce, Healthcare, Financial – were thought to need an SSL/TLS certificate. But as threats to our personal information have increased, that way of thinking has been challenged.
Now, popular browsers like Firefox, Chrome, Safari and Edge are pushing for every site to at least have basic encryption. And given the browser community’s unique position between internet users and the sites that populate the web—they have the power to incentivize universal encryption to the point where it becomes a necessity.
Here are some of the ways the browser community is pushing for universal encryption:
Giving Users Warnings About Unencrypted Websites
In the past, when you visited a website without encryption nothing happened. This is because HTTP has been the widely accepted standard since 1997. HTTP is the traditional way to serve a website. When you encrypt a website, however, you begin to serve it over HTTPS (HTTP + SSL).
The browser community would like to see all websites being served over HTTPS in the near future. In order to achieve this, browsers will soon warn internet users when they’re about to access an unencrypted site. As you can imagine, this could create disastrous results for any site without encryption, as most internet users opt not to continue on a website when presented with a warning about it being potentially unsafe.
Giving an SEO Ranking Boost for Using SSL/TLS
Back in 2014, when Google announced it would begin factoring in the use of SSL/TLS to its ranking algorithm, the impact was fairly minimal. Today, as the browser community continues to push for universal encryption, the impact has grown considerably. Now sites that practice “Always-On SSL,” meaning they serve every page of their site over HTTPS – not just login and checkout pages – can receive up to a 5% search rankings boost. In the world of SEO every little bit helps and 5% is huge—it could be the difference between page one and page two.
Making Powerful Features Available Only to Those Who Use HTTPS
Google Chrome is pushing the universal encryption initiative by making certain features only available to those using SSL/TLS. For instance, geolocation – a feature which allows businesses to ascertain a visitors’ location – will no longer be supported for sites served over HTTP after Chrome version 50. This means that if a site wants its visitors to be able to find its physical location or to give them directions to its closest shop, it will need to start using SSL/TLS.
And this is just one of many features available only to encrypted websites. Google is not alone in this, either. Mozilla, the makers of the browser Firefox, announced in August 2015 that they also plan to make new features available only to those sites served over HTTPS in addition to phasing out existing features for non-encrypted sites.
Making HTTP/2 Work Only with Encrypted Sites
HTTP has been the standard protocol for web communication since 1997. That’s ancient in internet years. But, HTTP/2, the successor to HTTP was recently ratified by the IETF (Internet Engineering Task Force). As of right now HTTP/2 represents about 18% of all global internet traffic—a number that is bound to rise considerably over the coming years.
The benefits of HTTP/2 are numerous, though the one that gets the most attention is increased speed. Unfortunately, none of those benefits will be available if your website doesn’t have SSL/TLS. The browser community will only serve HTTP/2 over sites with SSL/TLS. Considering HTTP/2 is the future of the internet, it’s going to get harder and harder for sites to stay competitive without encrypting.
Marking Emails Sent from Non-Secure Servers
According to Netcraft, just 18% of mail servers use a publicly trusted SSL Certificate. That’s an extremely low figure. Google has begun to draw attention to this by marking all mail sent from unencrypted servers with a red open padlock and a line below the subject field that states the sender did not encrypt the message. If a mail server does use SSL/TLS encryption, the recipient will be shown that the mail was sent from an encrypted source.
The browser community is in the position to drive the universal encryption initiative—and that’s exactly what it’s doing. By issuing warnings for unencrypted sites, offering SEO rankings boosts to sites with SSL/TLS, making powerful features available to just those with encryption and only serving HTTP/2 traffic over HTTPS, the browser community is essentially forcing the rest of the internet’s hand.
It’s time to encrypt. Not only for the sake of our own websites but to help shore up a larger web security ecosystem. In order to stay ahead of the curve, it’s vital to start using encryption across all pages of your website. In the past it was a choice. Today it’s a requirement. The age of universal encryption is here.