Online Marketing

HTTPS and Web Security – The State of the Web

My guest today is Emily Schecter who’s here to tell us about HTTP, you probably know of it as the thing you need to enable to make your site secure, but Emily’s here as product manager on Chrome security team, to explain how it’s so much more than that. Let’s get started so Emily. Thank you for being here. Thanks for having me, I’m excited to be here.

Can you start by telling us about what is HTTPS and why is it so important yeah, so HTTPS is actually just HTTP but over a secure connection and what HTTPS actually gives us is identity, encryption and integrity. So what that means is, if you type HTTP google.Com into a web browser, you can be sure that you’re talking to the real google.Com, not some fake google.Com and also means that no attacker on the network can actually see or modify any of the traffic.

And this is actually really important, because the collection of sites that you’re browsing actually says a lot about your intentions, your behavior and your identity and the web isn’t really continuing to get even more powerful, as chrome tends to add new features to the web platform. For example, the web now has the geolocation API, which means that sites can see where I live, where I work, maybe where my doctor is, or my kids go to school, and we really only want that information to be private between myself and the site that I Trust so HTTP gives us these guarantees, and this is why we think it’s really important for the whole web to be HTTPS by default, so it’s been around for a while and it has kind of accumulated some misunderstandings around it.

Can you kind of help dispel some of the myths around it sure yeah, so HTTPS has actually been around for quite a long time, but for many years it actually was very expensive and very slow and really hands-on and confusing to set up HTTPS. But the reality is that people all over the web have worked hard to make that change and it’s become a lot cheaper and a lot easier to set up. Https people still now think you know some of these myths about how it used to be are still true, but the reality is that that has changed.

So, for example, you should be really expense to set up HTTPS because you had to buy a certificate from what’s called a certificate authority, but now their certificate authorities out there that will give you a free certificate and make it really automatic and easy to set up. One of the examples is, let’s encrypt, so this is actually changed HTTPS and made it much easier to adopt. So what is the state if HTTPS? Now I look at HTTP archive data and it says that adoption is around like sixty percent and when you go back and look through like seven years of data, you can see it’s actually rising like pretty steeply.

So what are the tools that you use to understand? The state of HTTPS and what is it so Chrome, has a public transparency report where we published out about what we’re seeing in chrome in terms of the amount of HTTPS usage, that’s out there on the web. So, for example, what we’re seeing is the usage in Chrome on all of the different chrome platforms on desktop and on mobile is been rising over the years and if you go on to the HTTP transparency report, you can see chrome platform how the usage is increasing.

You can also see not only this in terms of the pages that are loaded over HTTPS, but also browsing time, because, as you might imagine, people are spending different amounts of time on different sites, and we can see that that across the different chrome platform is growing. As well, it’s also broken down by country, which is pretty interesting, because you can see how different countries all over the world are doing on their adoption of HTTPS.

Some other things that are on the transparency report are HTTPS adoption actually at Google. So you can see you know, Google, it is a big site, just like any other site. It took us a long time to actually get this ramped up, and so it’s pretty cool that the transparency report also shows how HTTPS usage has grown at Google. For all of our different products, so what kinds of things is chrome doing to increase HTTPS adoption? So I would say there are two main areas where chrome has made slow changes over time to encourage HTTPS adoption and the first is in Chrome’s UI for connection security.

So chrome shows an icon in the address bar that indicates connection security and we’ve actually changed this icon over time to help users understand the lack of security in HTTP connections. So chrome used to show just this plain circled, I icon for HTTP connections and we thought that was actually a problem because it really doesn’t indicate to people at all that there’s no security with an HTTP connection and what we’d actually like to get to for all.

Http connections is this kind of scary: read not secure warning, but we think that if we just roll that out for all HTTP sites right away, it actually could cause some panic right because we don’t want the web to seem scary. We don’t want people to see this morning all the time and we’ve also seen that people get what’s called warning fatigue, which is that if they see warnings too many times over and over, they start to ignore them.

They stop paying attention to them. So we want to be honest with users without sort of inciting chaos and panic. So what we’ve done is we’ve actually rolled out the warning slowly over time increasing, so we first started showing this gray eye not secured in the address bar just for HTTP pages with passwords or credit cards, and then, sometime later, we started showing the warning also when Users enter data or for incognito pages, and we actually just announced that in July of this year, we’re going to start showing it on all HTTP pages.

So we’ve actually rolled that out over time we’ve seen the amount of HTTPS usage increase and because HTTP unit has increased, then we’re not too scared about the warning fatigue that would be shown from the warning, and so what about the technical API is on the web. Right so another thing that we’ve done in chrome, to encourage HTTPS adoption and also to you know make the web more secure is to require HTTPS for web api s that are very powerful so for new api’s that have come out like service workers, because serviceworker is Such a powerful API we’ve actually required HTTPS to use it.

This also goes for HTTP two, which really improves performance, and it actually requires HTTPS, but we’ve also taken a look at api. Is that already exists on the web and we’ve actually deprecated usage over? Not secure connections for the api’s that are very powerful, so an example here is geolocation, there’s also getusermedia, which is about getting the photos on your phone, and so now sites can no longer use those overage.

This is like patching holes and security on exactly that’s great. So where do you think we’re heading with HTTP? Are we going to achieve a hundred percent adoption and we can all like go home or is our job not yet done? As we talked about earlier, adoption is still, you know not at a hundred percent, yet there. So we still definitely have you know a ways to go. I don’t know that we’re going to get to a hundred percent because I think there’s always some kind of driftwood sites on the web, things that people don’t maintain, but I do.

I would like to see us get close, so you know, if you know any sites out there that are still HTTP, you should go, tell them to turn on HTTPS. They said. No then tell them to come talk to me and tell them why they should, and you know users on the web can also vote with their feet if, like their bank, isn’t secure like go, find a secure banking website put your money somewhere else. So what are some of the knots that websites need to untangle when they need to make that switch from HTTP to HTTPS yeah? So you know migrating your web site to HTTPS.

It’s not as easy as just you know, putting an S on the end of the name of the web site. It’s not as easy as just getting a security certificate. You actually have to look and make sure that all of the services that your site depends on. Also support HTTPS, so, for example, a large complex site might depend on many ad networks, maybe analytics providers, and so the sites have to sort of take an inventory to first see what are all of these third-party dependencies that I have and then do.

They actually support. Https and then, if they don’t, they might have to go out there and actually convince them to start supporting HTTPS. So it can actually be sort of a project management type project as well to like make sure that you you’ve sort of done spring cleaning of the whole site. Well, Emily. Thank you so much for being here and telling us about HTTPS, and I learned that there’s so much more to it than just the S at the end of the URL, where at the end of the protocol in the URL and how it’s actually like deeply ingrained With the API is that people use for being Sheriff thanks for every week, so if you’d like to weigh in on the HTTP discussion, leave a comment below we’re going to have links to everything we talked about in the description tune in next time.

Thanks for reading


Online Marketing

I Think My Website Is Hacked! How to Know and How to Fix It

On your website and force a bitcoin ransom, or something like that SEO spam, which infects your Website with spam keywords and pages, not a good look And then there’s also things Like Crypto-Miners adware, that kind of stuff, Nobody Wants that on their website, Nobody want’s that right. No, So it’s not just something! That affects computers. It affects websites too. Yes, websites are definitely At risk – and you want to make sure that you are taking steps – To monitor your environment and protect it and having A plan for response is also very important.

How big of an issue really is this? Well, there’s a stat out. There that says, there’s about 75 % chance that a business Is going to be attacked And right now they say there: Is about 40 % of traffic to your website? Is actually Bots and about half of that is malicious, bots Ugh. That is gross Yeah, it’s not good. No, so how do we go about? Identifying, if our site is infected with malware Well, what you can do, Is you can run a scan on your website? We have a tool called Sucuri site check.

You can also just monitor Your activity logs, if you have somebody who can do that, Maybe a developer – You also wan na make sure That you’re practicing good password management, making sure that you’re users are set with the permissions. That they should have So obviously the least Privileged principle, you wan na make sure that They only have admin for as long as they need it. And then you put them back down to the role level that they need Right on, So that site check is great.

Are there anything that Like super obvious that we should be checking Is it like on Google? Is there on our website? What does that? Look like Yeah? Definitely Well, One of the biggest things is to make sure you’ve updated your site, A lot of the problems. That we see are because of websites that are out of date and have security, vulnerabilities Updates, don’t always mean new features. Sometimes they mean that You’re, actually, you know patching a security flaw that Would let a hacker get in and then do whatever they Want with your website Right, So I was actually Talking to when I was just a customer service, rep at Godaddy I had a customer on the line.

She basically had an interactive book site for little children And she was using WordPress She hasn’t really touched in a while And little kids go on there to read books with their parents. She was unfortunately hacked And the thing that they did was redirect them to a not so great site for little kids. So little Timmy was seeing Some very very adult things So super scary. Is there anything else There was something About Google, you said Like the SCO: What is that Yeah SCO spam is another Really bad one where they inject pages and Keywords into your site, It can show up in your Google search when people are looking for your brand and you’ll see pharmaceuticals, gambling stuff Like discount fashion spam, it’s pretty nasty The malicious redirects That you’re talking about are also terrible cause.

They’re taking your traffic and sending them to like another website, that’s maybe unsavory And you know that’s not A good look for your brand: It causes a loss of trust, So it’s definitely not ideal. Having a website firewall in Place is a really great step to mitigate that It forces All traffic to go through the firewall first Before The visitors hit your website and it also has the Benefit of speeding it up by cashing and using our CDN network, So the firewall is kinda.

Like digging a moat around your house and keeping All the bad neighbors out The in-laws, Anyone that you Don’t want to come in Right, Yeah there you go. That’s One way to look at it: (, laughs, ), All right, Alycia, So website is hacked I’m running around. I’m Screaming that the world is on fire to me right, How do I get this out of here? Yeah? That’s a really Important point, and not a lot of people, have a Response plan in place, Obviously, if you have Somebody you can trust who can remove the malware And has those technical skills that’s a great way to go? There are some tools that can Remove things automatically, but that doesn’t always catch a lot of the hidden back doors.

An attacker will always Try to leave some way to get back in If you just You know go in and clean up the spam pages and keywords the next day, they’re back in And your sites reinfected and a lot of that is Automated on the hackers part, So if you wan na take steps, There are some guides out there. We have one on sucuri.Net on how to clean your hacked website scan for malicious files in the database, and then you can just remove The pieces of malware manually, But generally you probably Want to contact a professional and have them help you Out, It’s usually going to be a bit faster and, like I said they’ll make sure those back doors are gone and that you’ve been removed.

From any blacklists as well, That’s another really important. Point is you don’t want to get blacklisted by Google, Nobody likes that, Then you’re rankings are gone And an important thing to Remember is these hackers they don’t care who you Are They don’t care what your site is about? They just care about hacking. Your site and making money off of you, So it’s not Personal, They just send out their bots to anything that they can find They get in They’re in Automation is super scary, They’ll just write a little script go, get a coffee and Come back and they’ll have a list of like thousands of WordPress websites that they might wan na attack, It’s not ideal and then They can further automate the attacks from there And again small websites.

Are fine because they can use your server resources? They Can use it for SEO spam to try to get other sites To rank that they want They’ll, just use your Resources They can even use your site to attack bigger sites Wow Like what does that look like So like? Let’s say you Are a hacker and you have a bot net of like a Thousand infected websites: You can use the power of all Those servers to launch attacks on like a larger company, So a DDos attack right Yeah, A DDos attack, So, essentially with that you can think of it as like a highway And there’s you know: cars Getting into your website and the hacker is flooding That highway with a bunch of fake cars and now no Real people can actually get into your website And that’s no good And Then all that traffic’s down and it looks like you’re doing it – ( laughs, ), Yeah yeah, nobody Wants to come to a website and see that blank white Loading page, like you know, most visitors, will leave a Website, after like three seconds of waiting for it, To load and it can cause you know a lot of of Disruption for conversion rates and that kind of stuff, So Not ideal for your business, No, and I mean, if you think, About a hacked site right, If your website ever gets Hacked like, if you have a visitor that comes there, they’re likely never coming back.

They’ve lost the trust with your business, Because, if you can’t Protect your own site, how can you protect their information Totally, It’s doubly important if you’re an eCommerce site, Even if you have gateways for Payment that are not hosted on your site, Like through Paypal or Authorize.Net or anything You still have to be PCI Compliant and make sure that you’re protecting the details, Of the people on your site Now with the website and Security we’ve talked about like the malware removal.

And things like that, Should our customers and Our audience really have an SSL on the site, too. Is that important? Yes, absolutely SSL is Awesome and a lot of people equate SSL with security. What SSL does is it makes Sure that any communication between the visitors Browser and your website is encrypted, So it’s data in transit, that’s being protected. Ssl doesn’t actually help Your website from not getting attacked by a hacker But Ssl is still very important.

It’s a ranking signal for Google, So it can help your website get to the top Of Google, if you have SSL And it’s just rapidly Becoming kind of defacto that you have to have SSL On your website as a way to establish trust with your visitors, I love it And that Trust thing is important Cause if you don’t have An SSL on your site, top left of the browser, says “ Not Secure”, To an everyday person. They See “ Not Secure” they’re out, So after we’ve cleaned up the malware.

What should we do going? Forward to make sure that this doesn’t happen again, Or that we’re just protected For sure yeah, You don’t Wan na deal with reinfections Those really suck So number One most important thing is to change all of your passwords, So passwords for your server, your FTP, your hosting account any of Your user accounts, because any of those could have been Compromised during the attack And don’t use password1, Yes Make sure you’re Using good long, complex, unique passwords for everything, Because if they get one password and you’re reusing It everywhere, that’s just They’re in your Facebook Account now your bank account now they’re everywhere and It’s hard to get them out.

Password managers make it a Lot easier, I can’t recommend them enough. I think that’s Probably one of the top security tips that we hear at Sucuri. What’s a password manager, A password manager is a Tool in your browser that will allow you to store And even generate really good passwords, So when You go to a site as long as you’re logged into your Password manager, with your one master, password that by the Way has to be super strong cause, it stores all of your passwords, One password to rule them all Yeah, Which is awesome As Long as you’re logged into your password manager, it’ll Even auto fill the passwords for you, So it makes your Life a little easier And it takes the guess: Work of it out of having to create a password that You’re going to remember, but that’s also very strong, And difficult to hack Awesome What else should We look at to really prevent this from happening again.

Or just protecting ourselves, There’s a lot of different Post-Hack actions and we could go into security forever. It’s A never ending kind of thing, There’s no such thing as Zero risk You’re always some element of risk, But obviously you know making sure that you’re Changing default settings Like don’t use the username admin. You know you can do a lot. Of things through plug-ins and that kind of thing, If you’re using a CMS But there’s also a lot of Steps to take on the server Like changing file permissions And things like that Definitely recommend.

Looking For some guides out there for website security, We Have a couple on sucuri.Net that are freely available: But yeah Definitely taking just extra steps to Make sure that you’re thinking about security and setting those options Awesome Now backups I hear this all the time: Backups backups backups What’s your emergency plan, How often should should We be making backups and what does that look like? Well, it really depends on your site If you’re updating your site, Very frequently, you know it’s very important for You to be able to restore all of that recent content.

Then you wan na be making you know daily or even More frequent backups, You know for some sites, That are only updated, weekly or monthly. Maybe those are How frequent you want them! One important thing to think: About with getting hacked and using a backup is Sometimes the attackers will attack your site and wait. For months to actually launch the attacks, So They’ll, get in and they’ll sit there for a while And then your backups are actually infected, That’s scary! So if you restore a Backup, that’s still has a backdoor in it that Could be troublesome, But still nonetheless, it’s Great to have that safety net, Especially if you have Custom files on your site, If those get overwritten By a hacker – and you don’t have any way to restore the Custom files – it’s not like you, can just pull down The WordPress plugin files or the core files You wan na, make sure for sure That those are backed up All right.

Thank you. So much For coming on the show today and helping us out with How to find malware and what to do with it? It’s been a pleasure, Thank you so much for having me And hey make sure you, like This article and comment below on something that you Learned that you’re going to do with your website to Make sure you’re secure While you’re there Subscribe to this blog Ring that bell, so you Know when these episodes are coming out first, This is “ The Journey” We’ll see you next time,

Who is helping with your digital business footprint?