JULY 23RD – CHROME WILL START FLAGGING HTTP SITES AS ‘NOT SECURE’
Back in February, the per cent of sites loaded over HTTPS clocked in at 69.7%. Just one year prior to that only 52.5% of sites were loaded using SSL/TLS, the encryption protocol behind HTTPS…so tremendous progress has been made.
Unfortunately, quite a few popular sites on the web still don’t support HTTPS (or fail to redirect insecure requests) and will soon be flagged by Google.
If you were to ask the operators of sites why they don’t protect themselves and their visitors with HTTPS, the responses you would generally get could be put into the following three groups: “I don’t need it”, “it’s difficult to do”, or “it’s slow”.
None of these are legitimate answers, but they’re common misconceptions as we will explain…
“HTTPS IS DIFFICULT TO DEPLOY”
This was true.. in the mid-1990s…all that has changed and thankfully, we’ve come a long way since then. Today, you can protect your site with HTTPS in a matter of seconds.
“I DONT NEED HTTPS”
This argument is the most puzzling, especially when spouted by people who should know better…surely you care about the safety and privacy of those visiting your site.
Without HTTPS, anyone in the path between your visitor’s browser and your site or API can snoop on (or modify) your content without your consent. This includes governments, employers, and even especially internet service providers.
If you care about your users receiving your website content unmodified and being safe from maliciously injected advertisements or malware, you must use HTTPS.
Besides safety, there are additional benefits such as SEO and access to new web features: increasingly, the major browser vendors such as Apple, Google, Mozilla, and Microsoft, are restricting functionality to only work over HTTPS. As for mobile apps, Google will soon block unencrypted connections by default, in their upcoming version of Android. Apple also announced (and will soon hopefully follow through on their requirement) that apps must use HTTPS.
“HTTPS IS SLOW”
Lastly, the other common myth about HTTPS is that it’s “slow”. This belief is a holdover from an era when SSL/TLS could actually have a negative performance impact on a site, but that’s no longer the case today. In fact, HTTPS is required to enable and enjoy the performance benefits of HTTP/2.
Detractors typically think HTTPS is slow for two primary reasons: i) it takes marginally more CPU power to encrypt and decrypt data; and ii) establishing a TLS session takes two network round trips between the browser and the server.
Even with decade old hardware, SSL/TLS adds less than 1% of CPU load. Today’s processors also come with instruction sets such as AES-NI, that help performance. Further, session resumption technologies reduce the TLS 1.2 overhead and TLS 1.3 aims to eliminate these round-trips entirely.
When HTTPS content is served from the edge, SSL/TLS enabled sites are incredibly fast and performant. And even when they are not served from an edge provider it bears repeating that SSL/TLS is not a performance burden! There’s really no excuse not to use it.