Building a brand online relies on trust. Business growth online relies on website which can inspire trust of their visitors – to fill out forms, enter their payment details or even just to sign up for a newsletter. Since we live in a world where a simple click can mean lost private data, stolen credit cards or installed malware, it’s more important than ever to make sure that our websites deserve this trust.
In their mission to make web a safe place, couple of months ago Google announced that starting October 2017, Google Chrome will require transparent SSL certificate, in order to mark website as secure and it’s reasonable to expect that other browsers will follow soon.
In addition to that, starting with Google Chrome version 56 and onwards, all HTTP websites which ask for login details or payment details are labeled as “Non-secure”, faith which eventually all HTTP websites will meet. Since roughly 30% of the UK browser market runs on Chrome, this could potentially have a big impact.
What does this all mean and why does Google change the rules all of sudden? I asked industry expert, Tim Dunton from Nimbus Hosting what impact this will have on the domain names market:
“It’s about time that someone cleans up all the SSLs on the market place with something easier and cleaner for consumers to understand. I’m hoping some of the changes will go further to handle some of the more basic SSLs on the market that are easy to get issued. This would be easier for consumers to differentiate between domain validated and organisation validated SSLs.”
There are multiple levels of SSL validation, which should naturally inspire different levels of users trust. As GlobalSign explains, domain validated SSL certificates only check the right of applicant to use a specific domain name. In addition to that, organization validated SSL certificates vett the organisation as well.
Extended validation (EV) SSL certificates according to Global Sign require the Certificate Authority checks the right of the applicant to use a specific domain name as well as to conduct a thorough vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines.
Current (non-transparent) system of issuing SSL certificates has one big flaw: there are hundreds of certification authorities (CA) around the world which can grant applicant a certificate for one of their domains, even if you had already bought one from another CA. There is no “higher control”, no way to communicate between the CAs in real time, to compare their records.
As a result, it became possible to hack CAs and make them issue “valid” SSL certificates for domains hackers didn’t own at all – and the legitimate wouldn’t have a way to find out until it’s too late. However, hackers are not the only culprits. Google has found out that Symantec has mistakenly issued an SSL certificate for google.com … to someone else.
There were also multiple cases when a government body was responsible for compromising trusted certificates in what is known as man-in-the-middle-attacks. Examples include NSA, French, Iranian and Indian government agencies.
The main idea behind Certificate transparency is one of those beautifully simple concepts, which makes you wonder how come we haven’t been doing it like this sooner: let’s keep a public log server, where everyone (although mostly the certification authorities, naturally), will be able to record every issued certificate.
Entries in the certification log are open, so that everyone can search in them and see whether certain certificate is legit and belongs to who they say it belongs. Go ahead and lookup certificates issued for your (or any) domain on Google’s Certificate Transparency Lookup tool.
Here is Moz’s for example:
Keeping “cyber diaries” is surely a big step in transparency, but they wouldn’t be that efficient if no one was controlling and consulting them regularly. That’s where the public monitors come in.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities. (source: https://www.certificate-transparency.org/what-is-ct)
The third component of the whole transparent SSL framework are auditors – lightweight software components that can verify that logs are behaving correctly and that a particular certificate appears in a log. If a certificate has not been registered in a log, it’s a sign that the certificate is suspect, and TLS clients may refuse to connect to sites that have suspect certificates. Example of an auditor are some integral parts of Google Chrome.
Google hasn’t announced any changes to the way their search engine algorithm gauges secure websites in order to receive rankings boost, however we can certainly expect a shift towards stricter evaluation of what “secure” means for Google in future.
All of the changes around the transparency and security promoted by Google make the case of switching to HTTPS more pronounced than ever.
Or you can consult these helpful step-by-step guides for migration to HTTPs:
Want to work for a company that works in an office with a pool table, beers on a Friday and the occasional office dog? Of course you do. Kaizen is a Content Marketing agency that delivers award-winning, data-driven visual content campaigns for the UK’s leading brands. We are a vibrant, award-winning company who have recently … Read more
Social media has long been a huge topic of conversation, for brands, users, the media and businesses alike. Over the last ten years or so, it has become clear that channels like Facebook and Twitter have a huge potential to influence, whether it’s through political bias, improving (or ruining) brand sentiment, or trolling the least … Read more
How to Create Unique Content That Can’t be Ripped Off Imitation is the highest form of flattery, so they say. But when you’ve put time, effort and money into creating a piece of content, only to have someone produce their own version without giving you any credit, it doesn’t feel very flattering. Searching the web … Read more