Google bats for HTTPS to secure website security

Hong Kong companies are encouraged to use HTTPS to enhance their website securitHong Kong companies are encouraged to use HTTPS to enhance their website security amidst the growing number of man-in-the-middle (MIM) attacks.

“The internet is a jumbly mess of interconnectivity. Between your computer and the website, there are a number of different points at which someone can actually intercept the connection, and they can read the traffic, and they can actually tamper with the traffic. And so you can have no guarantee of security and privacy in the absence of other security measures on the web,” said Google’s self-styled security princess Parisa Tabriz the local community during a visit to the city two weeks ago.

Tabriz heads the team that protects Google Chrome’s browser, which has two billion users worldwide..

HTTPS is a protocol over which data is sent between a browser and a website. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.

“HTTPS does not solve all security problems, but it provides the encryption we need. It is an important foundation for internet security,” she said.

Google has been in the forefront pushing for wider adoption of HTTPS over the last two years.

With the release of Chrome 56 in late January, Google has started warning users that the certain HTTP pages that they visit are “not secure”. The warning is now being applied on pages that require HTTP login or payment pages, and it will eventually extend to other HTTP pages. With its large user base, this move might compel website operators to conduct site-wide HTTPS deployment.

Latest figures from Google’s Transparency Report showed 54% of the world’s top websites support both HTTP and HTTPS, while 44% offers default HTTPS.

“The risk of supporting both is that it is possible for an attacker to actually intercept and downgrade you to HTTP. Default HTTPS is a better option in all cases,” Tabriz said.

Local companies lag behind HTTPS adoption

While there are currently no data that show HTTPS adoption among Hong Kong-based companies, local IT insiders say that there are indications that the city does not follow global trends.

“According to the Google Transparency Report and the Firefox Telemetry reports (both browsers promote HTTPS with similar green stamp system), we now have about 50% of the pageloads over HTTPS globally,” said Eric Fan, convenor, information security, Hong Kong Information Technology Federation .

“There are no exact figures regarding the number of .HK websites with HTTPS. Yet, based on my company’s experience, it’s not likely that Hong Kong is catching up the global HTTPS trend. The pick-up rate is not fast enough,” said Fan, who also heads the locally-based UDomain Web Hosting Co.