Weblog

On july 24th, Google launched Chrome 68. This version will mark all HTTP websites as insecure. Although I prefer a HTTPS connection, I don't agree with all the attention this step receives. What I don't like is that I'm sure many people will interpret the 'insecure' sign as the website itself being insecure and will probably conclude that a HTTPS website will therefore be secure. But SSL/TLS doesn't make the website secure, only the connection to that website. A secure connection is important, but not the most important thing when it comes to website security.

To get a good perspective of the importance of HTTPS, simply look at this Wikipedia page and this CSO Online article. Tell me how many of those breaches are due to insecure website connections and how many due to other causes. If we really want a secure web, we should start focusing on vulnerabilities like SQL injection, XSS, file inclusions, weak or default passwords, etc. Such vulnerabilities are the cause of the majority of all data breaches. They are known for many, many years, but somehow developers still make the same mistakes over and over again.

In this weblog, Google explains the most common ways websites get hacked. Interesting to see that 'insecure connection' isn't one of those.

Unfashionable
14 August 2018, 02:34
I agree and plan to use only HTTP for my website full of public data. HTTPS seems to me to be driven by ad networks, including and especially Google. If they want to imply the site is inferior, that is their choice. I hope people will eventually see that the downsides of a centralized certificate system sometimes outweigh the benefits.