11th May 2017
Building a brand online relies on trust. Business growth online relies on website which can inspire trust of their visitors – to fill out forms, enter their payment details or even just to sign up for a newsletter. Since we live in a world where a simple click can mean lost private data, stolen credit cards or installed malware, it’s more important than ever to make sure that our websites deserve this trust.
In their mission to make web a safe place, couple of months ago Google announced that starting October 2017, Google Chrome will require transparent SSL certificate, in order to mark website as secure and it’s reasonable to expect that other browsers will follow soon.
In addition to that, starting with Google Chrome version 56 and onwards, all HTTP websites which ask for login details or payment details are labeled as “Non-secure”, faith which eventually all HTTP websites will meet. Since roughly 30% of the UK browser market runs on Chrome, this could potentially have a big impact.
What does this all mean and why does Google change the rules all of sudden? I asked industry expert, Tim Dunton from Nimbus Hosting what impact this will have on the domain names market:
“It’s about time that someone cleans up all the SSLs on the market place with something easier and cleaner for consumers to understand. I’m hoping some of the changes will go further to handle some of the more basic SSLs on the market that are easy to get issued. This would be easier for consumers to differentiate between domain validated and organisation validated SSLs.”
There are multiple levels of SSL validation, which should naturally inspire different levels of users trust. As GlobalSign explains, domain validated SSL certificates only check the right of applicant to use a specific domain name. In addition to that, organization validated SSL certificates vett the organisation as well.
Extended validation (EV) SSL certificates according to Global Sign require the Certificate Authority checks the right of the applicant to use a specific domain name as well as to conduct a thorough vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines.
Current (non-transparent) system of issuing SSL certificates has one big flaw: there are hundreds of certification authorities (CA) around the world which can grant applicant a certificate for one of their domains, even if you had already bought one from another CA. There is no “higher control”, no way to communicate between the CAs in real time, to compare their records.
As a result, it became possible to hack CAs and make them issue “valid” SSL certificates for domains hackers didn’t own at all – and the legitimate wouldn’t have a way to find out until it’s too late. However, hackers are not the only culprits. Google has found out that Symantec has mistakenly issued an SSL certificate for google.com … to someone else.
There were also multiple cases when a government body was responsible for compromising trusted certificates in what is known as man-in-the-middle-attacks. Examples include NSA, French, Iranian and Indian government agencies.
The main idea behind Certificate transparency is one of those beautifully simple concepts, which makes you wonder how come we haven’t been doing it like this sooner: let’s keep a public log server, where everyone (although mostly the certification authorities, naturally), will be able to record every issued certificate.
Entries in the certification log are open, so that everyone can search in them and see whether certain certificate is legit and belongs to who they say it belongs. Go ahead and lookup certificates issued for your (or any) domain on Google’s Certificate Transparency Lookup tool.
Here is Moz’s for example:
Keeping “cyber diaries” is surely a big step in transparency, but they wouldn’t be that efficient if no one was controlling and consulting them regularly. That’s where the public monitors come in.
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates. For example, monitors can tell if an illegitimate or unauthorized certificate has been issued for a domain, and they can watch for certificates that have unusual certificate extensions or strange permissions, such as certificates that have CA capabilities. (source: https://www.certificate-transparency.org/what-is-ct)
The third component of the whole transparent SSL framework are auditors – lightweight software components that can verify that logs are behaving correctly and that a particular certificate appears in a log. If a certificate has not been registered in a log, it’s a sign that the certificate is suspect, and TLS clients may refuse to connect to sites that have suspect certificates. Example of an auditor are some integral parts of Google Chrome.
Google hasn’t announced any changes to the way their search engine algorithm gauges secure websites in order to receive rankings boost, however we can certainly expect a shift towards stricter evaluation of what “secure” means for Google in future.
All of the changes around the transparency and security promoted by Google make the case of switching to HTTPS more pronounced than ever.
Or you can consult these helpful step-by-step guides for migration to HTTPs:
Trying to find the best way of visualising data doesn’t have to be difficult – with infographics making up the majority of content marketing, their popularity is due to their simplicity and how easily they can be produced. However, some clients may feel that the handy tool is not the best choice for their campaign’s goals, meaning … Read more
This debate has gone on since the dawn of the Internet, longer than the feud between Batman and The Joker, longer than the debate of whether Ross and Rachel were on a break or not? This is the debate of quality versus quantity. Like most battles, few remember where they begin, but here is where … Read more
Content marketing is becoming an increasingly prominent skill in the sphere of online marketing. As competition for link-building campaigns becomes more extreme, it’s harder than ever for your content to stand out from an already crowded online space. From 15 seconds Instagram stories, to interactive infographics, podcasts, and 10,000 words guides, content marketing principles can … Read more