Google Has Increased HTTPS Use. Is That Enough?

There's a technology that almost everyone uses everyday, and Google is trying to make it more secure. Back in the olden days, we used to refer to it as the World Wide Web.

HTTPS is the internet protocol which delivers the web through TLS encryption. Back in the 90s, I only saw HTTPS in my web browser while entering credit card information in the early days of e-commerce. Now a lot of ordinary websites and web applications use HTTPS by default, including data which isn't obviously sensitive.

Google is probably the most powerful company on the web, and they have used their influence in recent years to encourage HTTPS to replace plaintext HTTP altogether. Two of Google's means to that end are ranking websites that use HTTPS as default over those which don't in web search results, and flagging HTTP websites as “not secure” in Google Chrome. Google web search ranking can make or break a lot of companies, and Chrome has significant web browser marketshare. So the results have been tangible. As of October 14th, Google reports that about 66% of web traffic through Chrome for Windows is HTTPS, an increase from about 50% in 2016. HTTPS traffic on Android devices now accounts for about 64%, up from 42% in 2016. I'm very pleased about that. But we musn't be lulled into a false sense of security.

TLS connections have always been susceptible to man-in-the-middle attacks. That's when a data transmission is intercepted by a malicious third party. That's why I'd never conduct my online banking over a public WiFi hotspot in my local coffee shop. While looking at my bank's website in the web browser on my phone, I could see HTTPS in my address bar and the website could operate normally. But another endpoint on that hotspot could be acquiring my browser's cryptographic keys, allowing the attacker on that endpoint to turn the ciphertext going back and forth between my phone and my bank into plaintext.

Many HTTPS websites don't use perfect forward secrecy. Perfect forward secrecy involves a unique cryptographic key being generated for each TLS session, including those through HTTPS. If a key is acquired by a malicious party, only one use of a website or web application is made insecure. Imperfect forward secrecy uses the same key for multiple sessions. That greatly increases the value of a key to cyber attackers, and also gives them a much larger time duration window for them to use that key. Imagine if the physical key to our house's front door got into a burglar's hands, my partner and I could be robbed of all of our precious video game systems and musical equipment, but my neighbors would be unharmed. If the same key could be used to unlock the front doors of all of the houses on my street, there'd be the potential for much more burglary.

HTTPS security depends on certificate authorities acting properly. A certificate authority is a trusted third party which certifies the ownership of a public key. Private keys are necessary for TLS to work, but so are public keys. The effect of certificate authorities on HTTPS is a massive topic on its own. But here's the relevant matter in a nutshell- effectively any certificate authority can issue a certificate for any website, and they aren't centrally regulated. Rogue certificates are a problem. There have been many incidents over the years. One that comes to mind for me is when ANSSI, a French CA, issued a rogue certificate for Google.com. Whoever acquired the certificate could easily perform man-in-the-middle attacks on Google web service HTTPS sessions. Ouch!

I think about HTTPS the same way I think about the seatbelts and airbags in my partner's car. (As far as motor vehicles are concerned, I've always been the passenger and never have been the driver.) They are absolutely necessary, especially seatbelts. I buckle my seatbelt as soon as I'm in my seat. The nagging beeps the car makes when a passenger isn't buckled up are like Google Chrome's “not secure” flags for HTTP websites. Wearing a properly designed seatbelt could save your life in a car accident. They definitely reduce deaths and injuries. But the seatbelts and airbags aren't a license for my partner to drive recklessly. Sometimes people still die in car accidents even if they're wearing seatbelts. My partner still must pay attention to the other vehicles on the road and obey traffic laws.

It's great that Google has increased HTTPS usage, but we still must be vigilant about web security.