Jeremy Daniele
Never stop questioning
Do We Really Need Everything Encrypted?
By Jeremy Daniele
Published: 5/18/2018 10p EST

      I was reading this article from theverge.com about Google’s Chrome development team wanting to make another change to its beloved browser. So, Chrome started planning around January 2017 to clearly mark websites not using an encrypted HTTPS connection (according to theverge.com). At this point this isn't news and most of the tech world was split on the issue but for the most part did agree users should clearly see when the connection is safe or not. However, should websites not collecting any information be almost shamed? Recently, theverge.com wrote an article stating the now well known, "secure indicator" is being removed around September 2018. Basically, Google says, “users should expect that the web is safe by default.” which again I doubt anyone isn't arguing.

Things like this I feel are great ideas, but it can be seen as overkill from a technical delivery point-of-view. Some websites aren't exchanging private information which could make it unnecessary or even a waste of money for some developers. Securing a website connection usually requires a CA (certificate authority) which issue digital certificates to organizations or individuals after verifying their identity by showing they have control over the website. Once the certificate is issued, the developer adds it to the server side. These certificates can usually cost anywhere from $75 to around $350 for each domain name PER YEAR!!!

There are free SSL options which do level the playing field for companies or individuals only wanting to display content. Examples like letsencrypt.org and comodo.com offer free SSL certificates which can be renewed every 90 days. This does for the most part solve the problem for everyone but again we’re talking about the need for it. These free options have been around for about awhile now and according to Let’s Encrypt the want for SSL has grown (https://letsencrypt.org/stats). You can even see around January 2017 it really jumped due to all this news.

The question is, does adding this extra technical step actually help or make us any safer for websites that don’t require the user to enter anything? Websites like hp.com or dell.com are used a lot for downloading drivers and/or software for their products. They do sell on their websites too but should anything that doesn’t require you to give any information really be encrypted?? What about websites for games? There’s addictinggames.com, newgrounds.com (who does encrypt), and even pogo.com that don’t require users to sign up or even login at all!! You do have the option on all these examples to create an account if you want to keep track of your scores or history, but it’s not required to use their services.

One might ask, “Why not encrypt regardless, since it doesn’t change the front-end experience, and gives the user piece of mind?” This reason would be efficiency, compliance, and costs. Even though there are free SSL certificates, there are some domain owners who can’t encrypt since a lot of website are forwarding with masking. Website domain names that forward basically just go to another website. This is very common. The difference is if a website is forwarding then masking. Basically, a website that is covering up another website. The one I’ve used and currently used our shorturl.com and 2ya.com which lets you reserve a subdomain (example sub.domain.com) and regular domain (example domain.com). These types of services came out around the “geocities” days. Now with the domain JeremyDaniele.com, I use Let’s Encrypt SSL, but some might see that as not as secure mostly because its free. On my web hosting website, I’m using GoDaddy SSL which is paid for. I do plan on taking payments in the near future, so I found that important but for pages like this one that you’re on right now the only information that being transferred is the very text you’re reading. Look at it like this. Let's say you went into an electronic store and you’re speaking to a sales person about something you want to buy. The store would be the internet connection and the sales person would be the website you’re interacting with. Now the conversation you’re having with the sales can be seen as not encrypted because anyone can walk by and hear. Now let’s say you’re at a bank and you want to take out a loan. You walk in and say you want to talk about a home loan. You’re then brought into another area where no one can see and for the most part can’t hear you. You will even start to give the bank person your very private financial information. This can be seen an encrypted. Why should a retail electronic store create secured environments just to show you something they want to sell or demonstrate?

No matter how we discuss this topic it’s still going to happen. So, how do you prepare for this change? As a user you don’t have to do anything. This change is just going to happen. Just be aware of the changes and how to use the browser you like to use. As a developer you should decide quickly where you stand and what type of encryption you will be using for your visitors. Do all your visitors care? Well I guess it would depend on the browser they’re using and the information you will be exchanging with them.

According to w3schools.com (https://www.w3schools.com/browsers), ever since April 2011 Chrome started to become the preferred choice between the famous IE versus Chrome. On w3schools.com it does mention Firefox being the leader at the time but most of the users for that website are “techies” so I looked up the Digital Analytics Program (DAP) and found they recorded the majority of users accessing their website in the year 2015 to be Chrome and quickly rising. Now whoever control the most used browser basically “runs the show” with this topic.



Chrome:

Not Encrypted


Encrypted (digitally verified)


Encrypted (physically verified)

*Keep in mind that just because you see “https” doesn’t always mean its encrypted. You want to see the green lock symbol.

Here is what the other known browsers look like.

Firefox:

Not Encrypted


Encrypted (digitally verified)


Encrypted (physically verified)

*Keep in mind that just because you see “https” doesn’t always mean its encrypted. You want to see the green lock symbol. The “i” seems to be in the address bar in Firefox almost anywhere you go. It does this to inform the user that even though the website is encrypted, some of the content itself might not be. I found no websites after searching for about half an hour. Its called “mixed-content” and can be found on Mozilla’s developer website.

Edge:

Not Encrypted


Encrypted (digitally verified)


Encrypted (physically verified)

*Keep in mind that just because you see “https” doesn’t always mean its encrypted. You want to see the lock symbol. Take notice how Edge doesn’t really put too much attention to anything but physically verified encrypted connection.

IE11:

Not Encrypted


Encrypted (digitally verified)


Encrypted (physically verified)

*Keep in mind that just because you see “https” doesn’t always mean its encrypted. Take notice how IE11 doesn’t really put too much attention to anything but physically verified encrypted connection. It does however darken the important information such as the domain name and “https” in the address bar.

Opera:

Not Encrypted


Encrypted (digitally verified)


Encrypted (physically verified)

*Keep in mind that just because you see “https” doesn’t always mean its encrypted. You want to see the green lock symbol.


As you can see most of the browsers are very similar minus some minor details. While I personally feel Edge and IE11 are on the right track, that’s not how Google sees it. What Google wants to do is add the message, “Not Secure” with all HTTP websites. They are currently doing this with HTTPS websites that don’t have an active certificate.


Not Encrypted with HTTPS


Sources:
https://www.theverge.com/2016/9/8/12847880/chrome-warning-encryption-web-google-ssl-https
https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl
https://www.theverge.com/2018/5/17/17365362/google-chrome-secure-indicator-https
https://www.godaddy.com/web-security/ssl-certificate
https://letsencrypt.org
https://ssl.comodo.com/free-ssl-certificate.php?track=8177
https://www.sslforfree.com
http://www.hp.com
http://www.addictinggames.com
https://www.newgrounds.com
http://www.pogo.com
https://www.shorturl.com
http://www.2ya.com
https://digital.gov/dap
https://digital.gov/2015/10/15/gov-analytics-breakdown-1-browsers-chrome-takes-the-cake
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content


<< Back to homepage