Are you ready for the HTTPS crackdown?Thursday, October 5, 2017
Google clamps down on the unsecured http internet even more with two key changes to infrastructure and browsers...
The move towards a HTTPS-only internet has taken a few more steps this month, some widely telegraphed, and some less so.
Unexpectedly, search giant Google has announced that it will be enforcing HTTPS for a total of 45 TLDs (top level domains), including .google, .how, and .soy (a full list is here). The company plans to do this via a mechanism called the HTTPS Strict Transport Security (HSTS) preload list, which closes a loophole against man in the middle attackers.
The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera), and consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. This means that insecure connections are not allowed at any time, providing improved security as the browser never loads an http-to-https redirect page, which could be intercepted.
Google claims the move will increase security for web users and site owners alike, with the maximum efficiency: “Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection.”
The new secure TLDs will be rolled out ‘soon’ according to the company, which also hopes that TLD-wide HSTS become the security standard for new TLDs.
In a parallel and widely telegraphed development, the Chrome browser this month will mark pages containing a form on HTTP sites as insecure, in an effort to protect users and force webmasters to adopt HTTPS encryption.
Ilia Kolochenko, security expert and CEO of High-Tech Bridge urged caution over accepting HTTPS improvements as a panacea: “In the light of skyrocketing number of mobile devices and insecure wireless networks, encryption of web traffic becomes increasingly important. However, I can hardly remember any massive data breaches caused by sensitive data interception from unencrypted HTTP protocol. While almost every day a new major data breach, caused by insecure applications, appears in the news exposing insecurity of banks, insurances and governments”
Strong HTTPS encryption won’t protect your personal and financial data from being stolen via SQL injection, or in a password reuse attack. Majority of recent security researches state that over 90% of all web and mobile application are vulnerable or insecure. We should address risks in the right priority, and while encryption is an important question, we should also think about how to address vital security problems such as application security.”
High-Tech Bridge’s free SSL/TLS server test has now tested more than 3.4 million servers, and has uncovered that in the last 12 months a mere 46.2 per cent of servers tested are compliant with PCI DSS requirements, while only 8.3 per cent of email servers are compliant. A concerning 20.9 per cent of web servers tested achieved a grade C or below.
On the bright side, the internet just got a bit safer in general as Google has also patched serious flaws in a DNS software package known as Dnsmasq that is popular in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. The issues included three potential remote code executions, one information leak, and three denial of service vulnerabilities. According to Shodan, there are more than 1m devices on the public internet with Dnsmasq services running.