With the world rapidly moving towards a “HTTPS by default” approach, Mozilla reporting over 48% of webpages in Firefox being loaded via HTTPS and Google now serving 85% of their traffic over HTTPS the web is undoubtedly becoming more secure for transport (in one way and does not necessarily mean more secure overall), however it’s looking likely to be a rougher road to HTTPS than it’s been in the past.
Starting January 2017 (or whenever Chrome 56/Firefox 51 rolls): Part 1
Users in Chrome and Firefox will start to see sites using WoSign and StartCom Certificates getting Certificate Warnings as Google moves to distrust the organisations issues certificates in response to “WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements” and attempting to “mislead the browser community”. Firefox is also following the same process
Starting January 2017 (or whenever Chrome 56/Chrome 51 rolls): Part 2
HTTP pages that collect passwords or credit cards as non-secure in Chrome will start to be displayed with the “Not secure” warning descriptor in the URL field.
Firefox users will start to see neutral ratings for “web pages which collect passwords but don’t use HTTPS”.
Starting January 2017 (or whenever Chrome 56/Firefox 51 rolls): Part 3
It’s the (start of) the end of the road for SHA-1 certificates in Chrome. This will be a removal of support for SHA-1 certificates with global/public PKI chained certificates. Firefox is following the same (ish) process.
Starting March 2017 (or whenever Chrome 57 rolls)
The end of the road for SHA-1 certificates in Chrome using locally installed PKI roots. This will be a removal of support and a “Neutral” indicator for pages using these certificates (which is intended for “rare cases where an enterprise wishes to make their own risk management decision”).
Sometime in the future (possibly 2017?): Part 1
Google aims “In following releases” to “extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy”. The end game? “…to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that [Chrome] use[s] for broken HTTPS.”
Sometime in the future (possibly 2017?): Part 2
In upcoming releases, Firefox will show an in-context message when a user clicks into a username or password field on a page that doesn’t use HTTPS. That message will show the same grey lock icon with red strike-through, accompanied by a similar message, “This connection is not secure. Logins entered here could be compromised.”:
Bonus: Sometime in 2019
End of the road for Chrome SHA-1.
How to avoid the above
Firstly, see my article on why to use SSL/TLS and use providers such as Let’s Encrypt, Cloudflare or Amazon AWS’ Certificate Manager to get free Certificates as part of your website.
Once you’re setup, go test your site at SSL Labs and make sure it’s as secure as you think it is.
Image Credit: Blog header image by Sean MacEntee