With Google Chrome flagging up insecure sites, you can check whether a site is HTTPS (encrypted) using free services like SSL Checker from High-Tech Bridge – https://www.htbridge.com/ssl/ and then encrypting it using free services like Let’s Encrypt.
Sample results flagging poor HTTPS status
Here are some issues we found on a site we tested earlier on High-Tech Bridge’s SSL checker with an explanation about what this means and some comments about the new initiative.
The first issue is that you can open this website by HTTP while you also have a HTTPS version. If you go to HTTP version of www.htbridge.com for example – you will be forwarded to the HTTPS version. If your website is not redirected to HTTPS, Google will mark the website as in-secure.
The second issue is that this website has some external content (e.g. iframes, images, scripts, etc) that are loaded from external HTTP resources, without HTTPS, again this may find Google marking this site down.
Ilia Kolochenko, CEO at Web Security Firm High-Tech Bridge:
Is the Google move a good idea?
“Taking into consideration that more and more people use mobile devices to interact with the Internet, and thus rely on public or insecure wireless networks to send out sensitive data, it’s definitely a good idea”.
Mobile applications can be a problem here, as common users cannot check if data the mobile app sends out (including passwords, personal, financial and medical data) is encrypted or not. Usually people don’t even think about it, so some of them will switch to mobile apps (of the same company) instead of a website, thinking that it’s more secure.”
In terms of how easy it is to encrypt a website “with such projects as Let’s Encrypt, it takes less than an hour.”
On whether HTTPS give users a false sense of security, “often, yes. One should remember that HTTPS is only about encryption of data channel between browser and a web server, and has absolutely nothing to do with web application security. SQL injections, XSS and all other web application vulnerabilities remain perfectly exploitable.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.