HTTPS and Chrome 56
Making your site secure is a top priority not just for network administrators anymore, but with recent browser updates highlighting sites not secured under HTTPS, marketing departments need to understand why the push for HTTPS is happening and how this affects their business and their users.
What is SSL and HTTPS?
(SSL) is a security protocol that encrypts traffic between a web server and the client (a browser) over HTTP, becoming HTTPS. Typical web traffic under HTTP is transferred in plain text - which means it is in a human readable form. Securing the transport layer encrypts this traffic, which means if someone is listening to the traffic between a user and your site, they cannot read the communication unless they had your encryption key which is highly unlikely (more about that later).
Why am I hearing about Chrome 56?
It has always been a good idea to encrypt sensitive data but many users do not pay attention to the top URL bar; they may not notice or understand that if they login to your site using public WiFi their credentials could be exposed. Browsers are starting to add visual displays to the user not just when your site is secure, but when your site is considered not secure. Users of Chrome version 56 and later will see the words “Not Secure” next to the already existing gray icon on pages that contain sensitive form fields of passwords or credit card numbers.
You can read Google’s blog here: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
How do I secure my site?
Contact the Thinklogic team for customized recommendations for your company. There are multiple options when it comes to purchasing SSL’s, our recommendations will vary based on your site framework, use of a Content Delivery Network (CDN), and daily traffic to your site.
How does the data get encrypted?
The process relies on various keys - or text of random characters. When an SSL certificate is issued, it comes with a private key and a public key. The private key is the most important, as it is the only thing used to decrypt the data to the web server. When the page is requested, the web server sends back the certificate details, including who issued the certificate and who did they issue it to. The browser verifies the data in the certificate, and accepts the certificate’s public key. The browser then uses this public key to encrypt data to send to the web server, which can only be read using the previously mentioned private key.
When the server needs to send encrypted data to the browser, it uses an asymmetric (meaning you can use the key to encrypt and decrypt) key that was exchanged during the first contact, also referred to as the handshake.
When a certificate authority, such as GoDaddy or Digicert, issues a certificate, it is not always a unique key.