Our on-line advertisers

Please take a look at our advertisements below. Most will have links to their own websites.

These advertisements are updated regularly so please revisit often and mention Craft Focus when making any enquiries.

Proper protocol

David Fairhurst from Intelligent Retail explains Google's latest advance in web security protocol

Last year, Google announced that from the end of January 2017, its latest web browser - Chrome Version 56 - would display a very prominent message in the URL bar if a web page is visited, should that page contain forms or input boxes and not use the HTTPS secure protocol.
In an on-going campaign to drive security online, Google has announced that it will be releasing its latest update of the Chrome web browser initially with only insecure form pages flagged, but eventually all non-HTTPS pages will be flagged prominently as insecure.

Leaving the door open Why does Google have an infatuation with secure web pages?
Surely the only pages that need to be secure are payment pages? Well, no.
The HTTP protocol has been used online since 1989, being first implemented with a successful communication between a client and server by the inventor of the World Wide Web Sir Tim Berners Lee. HTTP is still perfectly adequate for sharing documents that don't contain sensitive information (the original purpose that this technology was first designed for) however with websites of today we tend to share a lot of very sensitive information!
Modern websites employ several different scripting languages, as well as utilising forms to enable users to input data. This means using un-encrypted HTTP on a website can leave the door open to anyone wishing to spy on communications your browser is having with a server online and the process is surprisingly easy for anyone with the tools and knowledge.
Use of insecure HTTP mean that not only can someone spy on your communications, those with the technical knowledge to manipulate scripting languages can possibly re-direct your web browsing to meet their own nefarious agendas. You could find that instead of entering your login details into your bank's login page, you're giving your username and password away to criminals via a cloned page hosted elsewhere!

What is HTTPS?
HTTPS is basically an encrypted form of HyperText Transfer Protocol (HTTP). This means all communications between the web browser you are using and a remote machine (server or other computer) are encrypted and only some other machine with the correct encryption key can de-crypt the communication.
HTTPS can use one of two different secure protocols, namely SSL (Secure Socket Layer) or the newer TSL (Transport Security Layer), both of which use a pair of keys to encrypt communications between one machine and another. Originally 256-bit and 512-bit encryption keys were used but as technology and the ingenuity of code crackers has marched on, much stronger encryption is now employed https://goo.gl/FeF8Hz for most purposes.
HTTPS was created to allow encryption of the data stream between a client (web browser) and a web server. Encryption is important as it stops any third party from spying on the data stream, meaning nobody can see what you are inputting into web pages. Google is keen to make sure that all web pages are secure as soon as possible as this will make the web safer, but of course there are other reasons

Protecting our own interests
Of course, Google wants to see that people are safe online and is pushing for the web to be a safer place, but you can probably see that there may be a modicum of self-interest here! Google runs a number of services online, including its search engine, Gmail, AdWords and Analytics. All of them have been bombarded with attacks over the years and many of these attacks have been brought about by the shortfalls of the HTTP protocol.
Moving to HTTPS was a logical move for all of Google's services, but it doesn't end there. Non-Google web sites that are not HTTPS can still cause problems for Google. For instance, if a site is hacked and injected with spam or viruses then this adds work for not only Google's staff but can add load to Google's infrastructure.
If a site that is infected with viruses is being tracked in Google Search Console, then the owner of that site has to be informed. Although much of this notification is now automated and utilises AI systems, at the very least this adds further load on Google's servers. Spam and virus infected sites can also affect other Google services such as Google AdWords, leading to further load and frustration and can in most cases cause untold misery to website owners, as well as lost profits for Google!

What to do
For those with non-HTTP websites carefully consider what you need to do next. If you run an e-commerce website, then the answer is clear - move over to HTTPS as soon as you can!
Security warnings on a static (non-eCommerce website) are bad enough and may make people click the back button fast, but these types of websites in most cases don't provide revenue unless they rely on third party advertising.
e-commerce websites could be massively affected by the release of Google Chrome 56. Firstly, if Google start to mark pages as insecure in search results (which has been hinted) then traffic to any affected eCommerce website is going to plummet.
Once website visitors do arrive, a large 'page insecure' warning in the URL bar is definitely going to result in massive increases in website abandonment, further damaging results for that website.
At the very least, any owner of an e-commerce website where a large proportion of people visit via Chrome browser will see that e-commerce transactions decline sharply!
It's very clear that e-commerce websites and those sharing sensitive, user-entered data need to be protected by utilising HTTPS as soon as possible, not just because Google says so but because it's the right thing to do!

Intelligent Retail
+44 (0)845 680 0126

Share on Facebook