HTTPS and Web Security – The State of the Web

July 23, 2019 posted by



hello everyone and welcome back to another episode of the state of the web my guest today is Emily Schecter who's here to tell us about HTTP you probably know of it as the thing you need to enable to make your site secure but Emily's here as product manager on Chrome security team to explain how it's so much more than that let's get started so Emily thank you for being here thanks for having me I'm excited to be here can you start by telling us about what is HTTPS and why is it so important yeah so HTTPS is actually just HTTP but over a secure connection and what HTTPS actually gives us is identity encryption and integrity so what that means is if you type HTTP google.com into a web browser you can be sure that you're talking to the real google.com not some fake google.com and also means that no attacker on the network can actually see or modify any of the traffic and this is actually really important because the collection of sites that you're browsing actually says a lot about your intentions your behavior and your identity and the web isn't really continuing to get even more powerful as chrome tends to add new features to the web platform for example the web now has the geolocation API which means that sites can see where I live where I work maybe where my doctor is or my kids go to school and we really only want that information to be private between myself and the site that I trust so HTTP gives us these guarantees and this is why we think it's really important for the whole web to be HTTPS by default so it's been around for a while and it has kind of accumulated some misunderstandings around it can you kind of help dispel some of the myths around it sure yeah so HTTPS has actually been around for quite a long time but for many years it actually was very expensive and very slow and really hands-on and confusing to set up HTTPS but the reality is that people all over the web have worked hard to make that change and it's become a lot cheaper and a lot easier to set up HTTPS people still now think you know some of these myths about how it used to be are still true but the reality is that that has changed so for example you should be really expense to set up HTTPS because you had to buy a certificate from what's called a certificate authority but now their certificate authorities out there that will give you a free certificate and make it really automatic and easy to set up one of the examples is let's encrypt so this is actually changed HTTPS and made it much easier to adopt so what is the state if HTTPS now I look at HTTP archive data and it says that adoption is around like sixty percent and when you go back and look through like seven years of data you can see it's actually rising like pretty steeply so what are the tools that you use to understand the state of HTTPS and what is it so Chrome has a public transparency report where we published out about what we're seeing in chrome in terms of the amount of HTTPS usage that's out there on the web so for example what we're seeing is the usage in Chrome on all of the different chrome platforms on desktop and on mobile is been rising over the years and if you go on to the HTTP transparency report you can see chrome platform how the usage is increasing you can also see not only this in terms of the pages that are loaded over HTTPS but also browsing time because as you might imagine people are spending different amounts of time on different sites and we can see that that across the different chrome platform is growing as well it's also broken down by country which is pretty interesting because you can see how different countries all over the world are doing on their adoption of HTTPS some other things that are on the transparency report are HTTPS adoption actually at Google so you can see you know Google it is a big site just like any other site it took us a long time to actually get this ramped up and so it's pretty cool that the transparency report also shows how HTTPS usage has grown at Google for all of our different products so what kinds of things is chrome doing to increase HTTPS adoption so I would say there are two main areas where chrome has made slow changes over time to encourage HTTPS adoption and the first is in Chrome's UI for connection security so chrome shows an icon in the address bar that indicates connection security and we've actually changed this icon over time to help users understand the lack of security in HTTP connections so chrome used to show just this plain circled I icon for HTTP connections and we thought that was actually a problem because it really doesn't indicate to people at all that there's no security with an HTTP connection and what we'd actually like to get to for all HTTP connections is this kind of scary read not secure warning but we think that if we just roll that out for all HTTP sites right away it actually could cause some panic right because we don't want the web to seem scary we don't want people to see this morning all the time and we've also seen that people get what's called warning fatigue which is that if they see warnings too many times over and over they start to ignore them they stop paying attention to them so we want to be honest with users without sort of inciting chaos and panic so what we've done is we've actually rolled out the warning slowly over time increasing so we first started showing this gray eye not secured in the address bar just for HTTP pages with passwords or credit cards and then sometime later we started showing the warning also when users enter data or for incognito pages and we actually just announced that in July of this year we're going to start showing it on all HTTP pages so we've actually rolled that out over time we've seen the amount of HTTPS usage increase and because HTTP unit has increased then we're not too scared about the warning fatigue that would be shown from the warning and so what about the technical API is on the web right so another thing that we've done in chrome to encourage HTTPS adoption and also to you know make the web more secure is to require HTTPS for web api s that are very powerful so for new api's that have come out like service workers because serviceworker is such a powerful API we've actually required HTTPS to use it this also goes for HTTP two which really improves performance and it actually requires HTTPS but we've also taken a look at api is that already exists on the web and we've actually deprecated usage over not secure connections for the api's that are very powerful so an example here is geolocation there's also getusermedia which is about getting the photos on your phone and so now sites can no longer use those overage this is like patching holes and security on exactly that's great so where do you think we're heading with HTTP are we going to achieve a hundred percent adoption and we can all like go home or is our job not yet done as we talked about earlier adoption is still you know not at a hundred percent yet there so we still definitely have you know a ways to go I don't know that we're going to get to a hundred percent because I think there's always some kind of driftwood sites on the web things that people don't maintain but I do I would like to see us get close so you know if you know any sites out there that are still HTTP you should go tell them to turn on HTTPS they said no then tell them to come talk to me and tell them why they should and you know users on the web can also vote with their feet if like their bank isn't secure like go find a secure banking website put your money somewhere else so what are some of the knots that websites need to untangle when they need to make that switch from HTTP to HTTPS yeah so you know migrating your web site to HTTPS it's not as easy as just you know putting an S on the end of the name of the web site it's not as easy as just getting a security certificate you actually have to look and make sure that all of the services that your site depends on also support HTTPS so for example a large complex site might depend on many ad networks maybe analytics providers and so the sites have to sort of take an inventory to first see what are all of these third-party dependencies that I have and then do they actually support HTTPS and then if they don't they might have to go out there and actually convince them to start supporting HTTPS so it can actually be sort of a project management type project as well to like make sure that you you've sort of done spring cleaning of the whole site well Emily thank you so much for being here and telling us about HTTPS and I learned that there's so much more to it than just the S at the end of the URL where at the end of the protocol in the URL and how it's actually like deeply ingrained with the API is that people use for being Sheriff thanks for every week so if you'd like to weigh in on the HTTP discussion leave a comment below we're gonna have links to everything we talked about in the description tune in next time thanks for watching

20 Comments

20 Replies to “HTTPS and Web Security – The State of the Web”

  1. EchoPlus Music says:

    03:10 when she said chrome platform and The example is Firefox browser

  2. Adam Davis says:

    Great speaker and interesting content, but the background music was a little annoying.

  3. Anthony Grace says:

    If you don't need HTTPS, for obvious reasons, then it should not be dictated by any single entity such as Google. Since when do they own the Web?

  4. Isaac Asante says:

    The eye contact she maintains is unbelievable. Very smart, eloquant lady, though. πŸ‘πŸ‘

  5. N3rfe3d says:

    lol in the 1st place why is there is there a need to know so much about us when we use the web?

  6. Waqas Akram says:

    I think google future plan is to reach certificate publishing company by scared new bees! ————— That your website is not secured —————————- because i think the HTTPS should only be used for banking transaction.

  7. minj4ever says:

    HTTPS does not hide the domain you are browsing. Because SNI.

  8. Samar Panda says:

    Glad to know about transparency report by google i.e http://bit.ly/2Myincy

  9. Felipe Nascimento de Moura says:

    I support the HTTPS Everywhere campaign.
    With that said, I dislike the idea of not having an option out of it!

    I faced a situation exactly because of that!
    See the scenario bellow:
    I had to build a software for a factory where users would use their cellphones to take pictures and send to the server.
    The server would be siting in a room serving the software.
    But the problem is that this is a closed network with no internet access…the cellphones would connect to this closed network and access the server by its IP.
    So far so good, except no cellphone could open the camera ¬¬
    It took me 2 days to develop the software, and 4 days of struggle through installing and configuring many absolutely unnecessary things in the server!

    The point is…it was my cellphone, accessing my software, running in my server, using my closed network, and chrome couldn't trust me?!?!
    And it took me so much stressful, awful, unnecessary time (and money)!

    I believe we should have at least a "com'on, I know what I'm doing, now let me do my thing" option!
    (the flags for this only work on rooted cellphones…so…more useless work, time, money, stress…)

    Again, I'm in favor of HTTPS everywhere…I just think there should be well documented ways to add exceptions…otherwise, I will keep listening things like "oh, you can't do this with web technologies" πŸ™

  10. Sreelal TS says:

    Such an awesome talk. This would help all of us understand the power of the S at the end of HTTPS. That S has a lot of meaning. Wow. Thanks, Emily mam and Rick πŸ™‚
    I've already written an article about HTTPS, I hope it will be helpful to somebody reading this. πŸ™‚
    Here is the link to my article: https://goo.gl/5a624w

  11. rakesh choudhary says:

    Awesome

  12. Peter Phillip says:

    Silly fact, https actually makes your load time slightly faster too πŸ™‚ check out tests

  13. Giovanni Pires da Silva says:

    Apple like studio hahaha

  14. Fenix & Friends says:

    Good video, nothing to complain about the content πŸ™‚ Just the transition at the end between the goodbye and the outro, a bit anticlimatic hehe

  15. Aceix Smart says:

    the psychology behind the warning at 4:43 amazes me. wow!

  16. Matt Johnston says:

    this is great, but I would like to know what changed that made lets encrypt possible, and why now?

  17. Willi Lustig says:

    "HTPS" πŸ˜€

  18. Rick Viscomi says:

    When I talk about HTTPS adoption being ~60%, then the graphic shows ~75%, that actually wasn't a mistake! Just goes to show how fast HTTPS is being adopted on the web from the time between filming this episode (in April) to now!

  19. rustygb says:

    What is http 2.0? Is it secure?

  20. SALIM Shaikh says:

    Wow it's awesome πŸ‘πŸ’―

Leave a Comment

Your email address will not be published. Required fields are marked *