HTTP is disappearing: are you ready?

HTTP is becoming the past. More accurately, non-encrypted HTTP is becoming the past: SSL is the new universal communication channel between the user (browser) and web services. We can be so bold to say that SSL is becoming the new TCP, quoting F5 Networks.

In the last few weeks we have experienced an accelerated transition of the Internet to SSL or HTTP-over-SSL (HTTPS):

  • Mozilla published the latest version of its Firefox browser (version 51) which labels all websites with password forms as “Not secure” if they are not using HTTPS – read more on this here;
  • Google Chrome also started applying similar labels in its version 56, and the developers announced that all HTTP websites will soon be marked as unsecure – more information can be found here; this means that, e.g., all regional news portals will be labelled as unsecure.
  • For some time now Google has favored HTTPS in its search results – encouraging owners of web services and news portals to switch to HTTPS as soon as possible. This is one of the reasons why this website is delivered exclusively over SSL. Current and future changes to Google Chrome and other browsers will certainly facilitate the transition to HTTPS-exclusive websites and portals.

User data also confirms a growing trend of switching to SSL: Firefox user telemetry has shown for the first time ever that over 50% of web browser traffic is encrypted.

What are the implications of these trends for organizations that are trying to protect their customers from malware and advanced threats?

SSL web certainly guarantees increased user privacy and security with regard to web services – this is indisputable. However, after email (SMTP), web remains the most widely used communications channel across all organizations, and hence the main vector for inserting malicious code and performing advanced attacks. This makes the security of web and email protocols more important than ever.

On the other hand, transitioning to a fully encrypted website where “standard” HTTP is used more as an exception means that traffic becomes invisible for antimalware, IPS and other solutions that analyze content for the purpose of detecting malware (content security). Even if your organization already has a policy in place for inspecting SSL traffic, increasing its share also results in increased load on existing solutions in terms of their performance, which leads to delays in traffic processing and degraded user experience.

SSL inspection is an unavoidable process that must be balanced with privacy protection, which is why all SSL content security solutions have to ensure meaningful management of content inspection policies with detailed definition of exceptions and preservation of performance to avoid making these solutions too costly to implement.

As a long-time distributor of security solutions for organizations, we at Veracomp are definitely aware of all details necessary for the implementation of good SSL content security in organizations: whether it is protection of public web services with F5 Networks reverse or forward proxy, Symantec Blue Coat secure web gateway, Gigamon intelligent packet brokerTrend Micro content security or by integrating trust into transactions by using Entrust SSL certificates. Our regional Partner Network guarantees support you can rely on.

Want to learn more? Contact us!