Over the last few years, Google Chrome has taken over as the browser used by most users on the internet unseating Firefox and Internet Explorer and still being ahead of Apple’s Safari and Microsoft Edge. Google has been pushing websites to improve their point-to-point security by either stopping them from working altogether, or shaming them into using the secure HTTP (or HTTPS) protocol.
In 2015, Google decided that all websites using SHA-1 certificates will simply stop working in Chrome. They put out this simple statement “The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper. That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November.” This forced thousands of businesses to upgrade their SHA-1 certificates to SHA-2 or SHA-3.
In the near future, the Chrome browser will demarcate an unencrypted site with a red “X” placed over a padlock in the URL bar, with the intention of pushing all sites to serve with the secure communication protocol HTTPS. As mentioned in a recent Washington Post article, this will happen even if a website is not selling anything or does not accept credit cards. This is because you don’t need HTTPS for just credit cards. If a website has a “Contact Us” form or questionnaire that asks for an email address and name, if it’s not an HTTPS website, an end-user’s information is being transferred from the browser to the web server in clear text hence rendering it unsafe during transit. Google’s plan, <a href=”https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html”>according to a company blog post</a> made late last week, is to label HTTP sites that accept credit card and password data “more clearly and accurately as non-secure” for Chrome users and will start doing this in January, 2017.
So what should you do?
- Buy an SSL certificate from a certified certificate authority (CA). There are many options regarding the number of bits of encryption, single domain or wildcard certificates, etc.
- Install the certificate on your web server or servers
- Ensure that all HTTP access to your website is redirected to its corresponding HTTPS equivalent.
- Use Strict Transport Security to tell clients that they should always connect to your server via HTTPS, even when following an HTTP:// reference. This defeats attacks such as SSL Stripping, and also avoids the round-trip cost of the 301 redirect that is enabled in the previous bullet
- Always keep your SSL certificate current. Certificates expire and have to be renewed.
- Ensure all URLs generated or created in your web site or web app are protocol-neutral
- Turn on secure cookies
There are many websites that help you figure out how to do the above in a DIY fashion. The Artemis Consulting team is well-versed in internet security and, specifically, web server security. Contact us if you need help with securing your web infrastructure. We are here to help.