Google rolls out an advanced SSL configuration to their website, bolstering security.
Late last week Google.com rolled out HTTP Strict Transport Security (HSTS) across their domain.
HSTS is an optional security measure that improves the protections provided by the SSL/TLS protocol. When a site uses HSTS, it transmits an HTTP header (information computers use to a make a connection) to your browser telling it to only make connections over HTTPS. If the browser encounters an HTTP URL from that site, it automatically upgrades it to HTTPS.
The HSTS header is then cached by the browser for an amount of time determined by the site, usually a few months. During that time period, your browser is prevented from ever visiting the site over HTTP. This guarantees that an unsecured HTTP connection won’t be made, which can be a double-edged sword.
If, for some reason, a working HTTPS connection is not available – due to certificate expiration, a change to the site’s configuration, etc. – visitors are effectively locked out from the site. For this reasons, HSTS is seen as an advanced measure that should only be used by sites that need to guarantee security or are very comfortable with SSL/TLS.
HSTS: Protecting from “Downgrades”
You can only get the protections of HTTPS when you are using HTTPS – but almost every site that uses HTTPS also allows connections over HTTP. This creates a window where users can insecurely transmit/receive data from a site, either on accident or as the result of an attack.
For instance, on many websites there will inevitably be an errant HTTP link that was not updated to HTTPS. This is common on any large site where there are thousands or even tens of thousands of internal links. Navigating to one of those HTTP links can be the result of a simple mistake – from clicking an HTTP link or from manually typing in the URL.
But HTTP navigation can also be used in attacks against SSL/TLS security. In a “downgrade attack” the attacker creates a situation where the user connects to the target site over HTTP, allowing their data to be leaked and/or make malicious modifications to the connection. Downgrade attacks are easy to execute on public networks like the ones at coffee shops and schools.
When HSTS is used, a downgrade attack is not possible. The user’s computer, upon encountering an HTTP connection, will either try to automatically upgrade it to HTTPS or simply refuse to connect. HSTS triggers a hard-fail error in the browser, meaning there is no way for the user to ignore it and proceed anyway.
Many sites still support HTTP because it’s either necessary for a technical reason (for instance, some section of their audience are browsing from devices that don’t support HTTPS, or the site uses a third-party service that only works over HTTP), or because the site administrators have not done what’s needed to guarantee 100% availability over HTTPS – which is likely not their fault. Deployment of HTTPS at large scales is still something many developers and admins do not have experience with, and for some organizations, it can be difficult to budget the time and money needed for such a transition.
Google Continues Their Lead
Turning on HSTS on a site as large as Google is a big deal. Bigger sites have a harder time making any sort of site-wide technical change, especially one that can lock-out users. Engineers in the industry have pointed out that HSTS’ can be a “self-inflicted DDoS” if you improperly configured it.
Google is in a unique place to be an industry leader in transport security, both as an example of advanced implementation, but also as a force encouraging adoption across the internet. As a search engine, Google announced back in 2014 that use of HTTPS would be counted as an SEO ranking signal, which has been frequently cited as a reason to start supporting HTTPS.
Last year Google’s Chrome web browser removed the “mixed content” indicator which was discouraging sites from adopting HTTPS. Just last week Chrome version 52 released and improved their connection security indicators, which is intended to improve a user’s understanding of their connection security.
Google’s engineers have also proposed a plan to flip the current security paradigm. Today, all browsers show a positive indicator when HTTPS is used. Google’s team imagines an alternative where instead, a negative indicator is shown for unsecured HTTP connections and nothing is shown for HTTPS, because secure access should be expected. The Chrome browser intends to slowly implement this in phases over the next few years.