Slow death of HTTP protocol for websites

Upcoming Chrome 68 stable updates, (expected on the 23rd of July 2018) will change the way how the browser is marking HTTP pages. From that release, by default, Chrome will mark them as "not secure", pushing web developers and admins to use HTTPS protocol for their websites.

Mozilla Firefox and Microsoft Edge are expected to follow in upcoming new releases of their web browsers.

Google first indicated that back in September 2016 with Chrome 56 update blog post marking as "not secure" website which were collecting sensitive information, like passwords and credit card details.

Making another step into more secure web with Chrome 68 update.

HTTPS protocol is now used by over 37.2% of all websites according to data from W3Tech, and this should see much greater increase after the Chrome update.

Secure(er) internet

With SSL certificates become cheaper, or even free using Lets Encrypt, there is absolutely no reason why developers and web admins should not use HTTPS protocol as standard during the web development process.

Worth mentioning is also what types of SSL protocols are used to secure the connection. PCI Council (Payment Card Industry Security Standards Council) has suggested to migrate from TLS 1.0 protocol to TLS 1.1 or higher by 30th June 2018. Updated PCI DSS requirements.

SSL protocols (SSL v2.0 and SSL v3.0) should be disabled due to their weaknesses.

It’s highly recommended, from security point of view, to also disable TLS v1.1, leaving only TLS v1.2 and TLS v1.3. Currently (all modern web browsers support TLS v1.2 and higher). Currently Firefox and Chrome also supports TLS v1.3.

OpenSSL 1.1.1+ library also supports TLS v1.3 protocol.

Make your webserver more secure

Enabling HTTPS for your website is extremally important to provide as much security for your users as possible.

Obviously making your website more secure, there is much more than just enabling HTTPS.

What else should you do? In no particular order:

1. Run SSL Server Test for your website. This will give you great starting point where you are in sense of website/server security.

2. Disable everything below TLS v1.2 on your webserver:

• Apache:

        SSLProtocol -all +TLSv1.2

• nginx:

        ssl_protocols TLSv1.2;

3. Enable OCSP stapling
4. Disable web server token / signature
5. Force usage of server ciphers
6. Specify strong ciphers only
7. Generate 4096 bits Diffie-Hellman key

There are few other aspects you should take into account when hardening your server. Internet provides many tutorials and white-papers on web security, but nothing can replace experience, so best speak with specialist who can suggest best solution for your needs.

Stay safe!

Last thing to add is HTTP/2 which requires TLS v1.2, as minimum to work in major browsers (but it's not required by the standard itself). And there are way too many benefits to not use that for your website!

---

Useful links:

• SSL / TLS related stats
• Check browser feature support
• POODLE Attack
• Transport Layer Security Wiki
• Check your web server SSL configuration
• MS Windows SSL / TLS Support
• SSL Certificate Authorities market shares

Updated 4th July 2018 by Egon Expert Team