Preying on your insecurities
Google, on a mission to get the whole world to use https and abandon http, has recently updated Chrome version 68 to name and shame webpages which do not use a secure certificate. It turns out that the warning is actually pretty mild, an easily-overlooked grey "Not Secure" in the address bar, although it will probably grow more prominent over the coming months.
What does https mean? It means that the connection between you and the website you are looking at is secure, you know you are looking at the genuine website and not a forgery, and that no-one can be eavesdropping on your communications with that website, or modifying the data en-route.
That all sounds like a good thing, although the encryption and decryption process does add to the processing overhead, and also makes it more difficult for ISPs and large organisations to provide border caches of frequently used static info. If you are sending credit card info or banking login details over the internet, you really should be using secure https, but a lot of people operate sites which are, say, a simple photo gallery, nothing remotely confidential, open to the world. For those site operators, https is just yet another technical overhead, yet if they don't comply, visitor numbers will drop greatly because most people will think "not secure" means dangerous, or possibly virus infected.
The most important thing to stress is that https doesn't say anything about whether or not a site itself is secure, only that the communication channel between your browser and site is tamper-proof. A site can use https and get the green padlock seal of approval in a browser, whilst at the same time having a website which leaks all your confidential data like a sieve. It also doesn't mean a site is safe. Sites intent on serving malware to your computer are just as likely to use https as any other website. Remember too that https is no protection against malware and key-loggers which have infected your own computer. It is true that https makes us a bit safer, but please don't think it guarantees safety.
Some household names and a lot of smaller websites haven't yet implemented https, and the highest-ranked and busiest UK site which is yet to make the switch is the Daily Mail. Other sites, such as www.argos.co.uk or www.legislation.gov.uk do have https implemented but do not enforce it, so anyone typing the address in by hand and omitting the protocol, i.e. www.argos.co.uk, finds themselves accessing the site using the less secure http. Virgin, the airline, enforces https on its domain virgin.com and their alternative address www.virgin.co.uk correctly redirects to the secure version of virgin.com, but miss out the www and just put virgin.co.uk into your browser and it hits a brick wall. It should be stressed though that their is no evidence any of these sites are in any way insecure or dangerous to use, regardless of how Chrome labels them.
In an ideal world, end users shouldn't need to know about protocols and www prefixes. If you type skillzone.net into your browser, for example, with or without the https or the www, you will always end up at https://www.skillzone.net without needing to take any special action or answer any security questions, and that is the way it should be. But when big commercial sites and government sites struggle to deal with all the possibilities and permutations, should it come as any surprise that many smaller sites are having trouble complying with this push to https?
7th August 2018
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.