Why blocking ads and enforcing HTTPS is a good thing.

Table of contents
  1. Ok, so I still can rely on my ad-campaign income, but what about the enforcement of SSL encryption on my website?
  2. I can’t afford an SSL certificate! The last time I checked, they were like 100$ a year!
  3. So, I click install, and I am done?
  4. Now that Google Chrome says my application is “Secure,” am I done?

What’s happening?

 Over the last few days, there were multiple announcements about the Chrome browser and its new features. From an integrated ad-blocker to trust warnings on websites with no HTTPS encryption. But what is all the fuzz really about?

Is the Chrome team trying to remove my income from the ad campaigns on my website? In short: No, they don’t! Google Chrome’s new feature targets advertisement, redirecting the user’s focus away from the page’s content. In case your website is using normal ad displays, they won’t be affected by the new features in any way. So-called “tab-under” are examples of advertisements that will be blocked, starting with the release of Google Chrome 64. They represent all kinds of ads, which open up new tabs without asking the user and redirect the user to this new tab. While a user can only close the newly opened tab to get back to the original site, these advertisement tabs either won’t open at all, or the user will get a UI dialogue to ask for permission. Besides “tab-under,” also animated and intrusive ads will be blocked.

overwhelmed Does Chrome Hate Website Providers?
Overwhelmed by ads (Source: Altered Carbon — Episode 1 “Out of the Past” [37:19], ©Netflix 2018)

Ok, so I still can rely on my ad-campaign income, but what about the enforcement of SSL encryption on my website?

Way back in 2014, Google started to improve the ranking of websites that provide SSL encryption compared to pages that do not. Since then, the percentage of encrypted website traffic through the Chrome browser increased to 68 percent on windows and 78 percent on mac. Starting in July 2018, Chrome will mark websites as “not secure” if they do not provide any SSL encryption. But what does it mean to be “not secure”?

current Does Chrome Hate Website Providers?
The current display of encryption state (Google Chrome 64)

Well, depending on the features your web application provides, being “not secure” might not mean anything. Still, it can also increase the mistrust new users might have in using your application. A simple static website that does not provide any interaction options might not benefit from an SSL certificate. On the other hand, any non-encrypted traffic can be monitored and is especially interesting for attackers if it contains user-provided data. This includes passwords, credit card information, and other valuable information. Even though there might not be a technical benefit in having encryption on a static website, people will still be more likely to use it if they don’t see the “not secure” label. Suppose you handle confidential user input and don’t provide encryption already. Shame on you! Now is the time to change it!

treatment Does Chrome Hate Website Providers?
Display of encryption starting in July 2018 (Source: Chromium)

I can’t afford an SSL certificate! The last time I checked, they were like 100$ a year!

First of all, it is important to know that there are multiple SSL certificates, and the registrar signs every certificate. Therefore, some of them are more trustworthy than others, and also the prices differ from very cheap to very expensive.

But wait! There are also free ones, even the smallest website can afford. Projects like Let’s Encrypt grew rapidly over the last years and have proven that it is possible to provide free SSL certificates to more than 100 million domains. As a technically experienced user, it is easy to obtain and install a valid certificate within a few minutes. Many web-hosters also provide easy one-click options to automatically create a valid Let’s Encrypt certificate during account creation and are even easier to use. In summary, a valid SSL Certificate only costs me a few minutes and not a single dollar.

So, I click install, and I am done?

Basically, that’s it! Larger corporations probably won’t go for a free certificate but want to increase the trust level even further. Higher tiers of SSL Certificates also show the company name within the certificate and verify certain information before being provided to the company. A simple free certificate mostly doesn’t verify any user or company information and only validates the domain name.

Now that Google Chrome says my application is “Secure,” am I done?

The traffic between clients and your application is now encrypted and cannot be easily monitored and analyzed, but there is more!

There are multiple ways of encrypting the data, so-called Cipher Suites. For most certificates, the certificate owner can choose which suites to use and overwrite the default values, which are not always the best. In addition, you can choose the ciphers, disable certain legacy features that contain vulnerabilities, and enable others to miss by default.

We gathered a list of possible improvements for configuring your SSL certificate in this blog post. If you are interested in validating your existing Certificate’s security, we also provide an extensive test in our free package of the Crashtest Security Suite. After just a few minutes, we list all the findings and provide you with the information you need to improve.

Let’s not only encrypt but also do it right!

See if Your Web App or API Has Security Vulnerabilities