Securing websites, so they keep user data private, is an essential element of the modern web. There are many aspects to this, but a couple of the most important are: ensuring that users see the site they are expecting, and that their data is protected when they send it to the site. Fortunately, both of these are easily achieved using HTTPS.
HTTPS (which uses encryption provided by TLS, the Transport Layer Security protocol) is a security technology used to protect website content while it’s being delivered to the user. It both encrypts the content to ensure privacy and authenticates it, so that it can’t be modified in transit.
As we state in our HTTPS guidance, all websites should use HTTPS, even if they don’t include private content, sign-in pages, or credit card details. And this approach is starting to be enforced by modern browsers – in July this year, Google Chrome will start to mark websites not using HTTPS as insecure.
We anticipate other browser vendors adopting a similar stance to Chrome’s on sites not using HTTPS exclusively. There are signs that this is coming, Mozilla Firefox and Apple Safari already have similar features for sites which do not serve sign-in pages over HTTPS, and Firefox will also be restricting its new features to sites which are using HTTPS.
If you are responsible for a website, and you want to test whether it’s being served over HTTPS, all you need to do is visit the site. If you see the padlock icon in the status bar with no errors, everything is as it should be. Ideally you should test this on all the browsers that visit your site. If you’re having problems, the NCSC has some useful reading on the use of TLS.
If you’re in the UK public sector you can sign up to NCSC’s Web Check service, which will now alert you if any of your sites are not using HTTPS. It will even tell you if your site looks misconfigured. You can then set about remedying the problem.
Jamie H
Senior Security Researcher
Source: National Cyber Security Centre
