Building a brand online relies on trust. Business growth online relies on website which can inspire trust of their visitors – to fill out forms, enter their payment details or even just to sign up for a newsletter. Since we live in a world where a simple click can mean lost private data, stolen credit cards or installed malware, it’s more important than ever to make sure that our websites deserve this trust.
In their mission to make web a safe place, couple of months ago Google announced that starting October 2017, Google Chrome will require transparent SSL certificate, in order to mark website as secure and it’s reasonable to expect that other browsers will follow soon.
In addition to that, starting with Google Chrome version 56 and onwards, all HTTP websites which ask for login details or payment details are labeled as “Non-secure”, faith which eventually all HTTP websites will meet. Since roughly 30% of the UK browser market runs on Chrome, this could potentially have a big impact.
What does this all mean and why does Google change the rules all of sudden? I asked industry expert, Tim Dunton from Nimbus Hosting what impact this will have on the domain names market:
“It’s about time that someone cleans up all the SSLs on the market place with something easier and cleaner for consumers to understand. I’m hoping some of the changes will go further to handle some of the more basic SSLs on the market that are easy to get issued. This would be easier for consumers to differentiate between domain validated and organisation validated SSLs.”
There are multiple levels of SSL validation, which should naturally inspire different levels of users trust. As GlobalSign explains, domain validated SSL certificates only check the right of applicant to use a specific domain name. In addition to that, organization validated SSL certificates vett the organisation as well.
Extended validation (EV) SSL certificates according to Global Sign require the Certificate Authority checks the right of the applicant to use a specific domain name as well as to conduct a thorough vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines.
Current (non-transparent) system of issuing SSL certificates has one big flaw: there are hundreds of certification authorities (CA) around the world which can grant applicant a certificate for one of their domains, even if you had already bought one from another CA. There is no “higher control”, no way to communicate between the CAs in real time, to compare their records.
As a result, it became possible to hack CAs and make them issue “valid” SSL certificates for domains hackers didn’t own at all – and the legitimate wouldn’t have a way to find out until it’s too late. However, hackers are not the only culprits. Google has found out that Symantec has mistakenly issued an SSL certificate for google.com … to someone else.
There were also multiple cases when a government body was responsible for compromising trusted certificates in what is known as man-in-the-middle-attacks. Examples include NSA, French, Iranian and Indian government agencies.
The main idea behind Certificate transparency is one of those beautifully simple concepts, which makes you wonder how come we haven’t been doing it like this sooner: let’s keep a public log server, where everyone (although mostly the certification authorities, naturally), will be able to record every issued certificate.
Entries in the certification log are open, so that everyone can search in them and see whether certain certificate is legit and belongs to who they say it belongs. Go ahead and lookup certificates issued for your (or any) domain on Google’s Certificate Transparency Lookup tool.
Here is Moz’s for example:
Keeping “cyber diaries” is surely a big step in transparency, but they wouldn’t be that efficient if no one was controlling and consulting them regularly. That’s where the public monitors come in.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities. (source: https://www.certificate-transparency.org/what-is-ct)
The third component of the whole transparent SSL framework are auditors – lightweight software components that can verify that logs are behaving correctly and that a particular certificate appears in a log. If a certificate has not been registered in a log, it’s a sign that the certificate is suspect, and TLS clients may refuse to connect to sites that have suspect certificates. Example of an auditor are some integral parts of Google Chrome.
Google hasn’t announced any changes to the way their search engine algorithm gauges secure websites in order to receive rankings boost, however we can certainly expect a shift towards stricter evaluation of what “secure” means for Google in future.
All of the changes around the transparency and security promoted by Google make the case of switching to HTTPS more pronounced than ever.
Or you can consult these helpful step-by-step guides for migration to HTTPs:
Adhering to the whims and fancies of Google’s unpredictable nature can be a tasking ordeal for content creators around the world. What once seemed like a harmonious relationship, the bond between consumers and producers of content has become somewhat volatile, asking marketeers to be agile in their approach to content. As click-through-rates and organic opportunity … Read more
On 15th November, Kaizen was ranked the 38th fasted growing tech company in the UK according to the Deloitte Tech Fast 50 Awards. The Deloitte Technology Fast 50 is one of the UK’s foremost technology award programmes, celebrating innovation and entrepreneurship. Now in its 21st successful year, it is a ranking of the country’s 50 … Read more
On 23rd November, Kaizen will be hosting a full-day digital PR workshop, designed to show our process of earning over 10,000 backlinks on top-tier sites such as Marie Claire, Business Insider and Culture Trip over the last five years. It will take place at Citypoint, in Moorgate, London. The CEO & Founder of Kaizen, Pete … Read more