Google’s announcement that it will be removing its ‘green padlock’ for HTTPS websites as of September, and will flag any non-HTTPS sites as insecure in Chrome from October. Google is hoping this will make secure websites are secured as standard. Craig Stewart, Vice-President EMEA at Venafi commented below.
Craig Stewart, Vice-President EMEA at Venafi:
“As consumers, we have been trained to look for the green padlock to make sure the site we are putting our details into is secure and can be trusted, so the fact these are now being removed might create some confusion and concern – but people shouldn’t worry, it’s actually a sign that the internet is becoming more secure. The fact is, websites should be secure as the de facto standard; it’s those sites that do not use HTTPS that should be brought to our attention so that we do not use them. When Chrome starts to flag any sites not using HTTPS as insecure, users will simply become used to expecting security as the default instead of checking for the padlock. This will pressure businesses to step up their game and improve security across the internet, which can only be a good thing.
However, as we’ve already seen from the depreciation of SHA-1 certificates, organisations are typically slow to react to warnings of this kind and can often underestimate the task at hand. Many organisations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of. Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates. Unless organisations are able to identify where their HTTP certificates are, and then have the flexibility to revoke and replace these with HTTPS certificates, they will be faced with customers, partners and prospects refusing to access a seemingly insecure site. Businesses have less than 6 months to make sure they’ve resolved the situation, so better get started now.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.