MY TAKE: Why Google’s move to label non-HTTPS sites ‘not secure’ is a good thing

By Byron V. Acohido

San Francisco-based Cloudflare has traversed an interesting path to becoming a leading cybersecurity vendor. Back in 2004, Matthew Prince and Lee Holloway concocted something called Project Honey Pot to detect and deter email spammers. Prince’s Harvard Business School classmate, Michelle Zatlyn, joined them in 2009, and together they elevated Project Honey Pot into a company launch — at the September 2010 TechCrunch Disrupt conference.

Related article: Vendors make path to compliance easy

Cloudflare today protects websites, APIs, and applications  worldwide from threats that hamper load times, particularly Distributed Denial of Services (DDoS) attacks. I recently had the chance to sit down with Cloudflare’s Product Manager of Security Engineering Patrick Donahue at the DigiCert Security Summit in Las Vegas. Donahue was there to discuss how Cloudflare and  DigiCert are partnering to join the big push–led by Google, Mozilla and Microsoft – to  dramatically increase the presence of HTTPS websites across the Internet.

Wider use of HTTPS is coming, and not because of any regulations. The browser makers are going to increasingly penalize websites not using HTTPS — by flagging them as untrustworthy. This is going to accelerate this summer. The good news is that Cloudflare, DigiCert and a number of other tech companies are collaborating to make it easy and inexpensive for the vast majority of websites to implement HTTPS, as well as keep current on it.

I’ve synopsized a few takeaways from my discussion with Patrick below. For a deeper drill down, please give a listen to the accompanying podcast.

DDoS escalation


DDoS attacks continue to escalate in both sophistication and raw power.  Just a few years ago a massive denial of service attack capable of knocking a banking website offline for extended periods was measured in gigabytes of data per second. That’s the amount of nuisance traffic the attacker, typically using a botnet, could bombard a website with and thus cut it off from public access. Today, the largest attacks are measured in terabytes per second, and waves of nuisance traffic might be reflecting off of, or getting amplified by, network mechanisms or even business applications that have been co-opted by the attacker.

Why do denial of service attacks persist? It remains a high-visibility way for ideologues to make a political statement that can grab attention.  And before the rise of ransomware, DDoS was used as a tool to carry out earlier forms of cyber extortion. Yet, interestingly, on a day-in, day-out basis, DDoS attacks can occur as part of the rough-and-tumble world of digital commerce.

“If you’ve got two different sites where you can go buy similar goods, the responsiveness of a site is really critical to securing those sales and e-commerce revenue,” Donahue told me. “If you can slow your competitor’s site down or take them off line, their reputation will decrease and perhaps your traffic will increase and you’ll be able to convert some of those customers.”

Standing in the brink

Cloudflare protects against DDoS attacks by absorbing the brunt of the assault.  The company maintains some 137 data centers in 69 different countries. It keeps track of the initial request for content from a visitor, say in Australia, pinging a website in Silicon Valley. The first time the visitor reaches out, Cloudflare keeps a copy of the requested content and caches it at a data center in Australia. So the next time, data exchanges between the Down Under visitor and the U.S. West Coast publisher happens much quicker.

Because of the locations and capacities of its data centers, Cloudflare is well positioned to absorb nuisance traffic on behalf of any of its customers’ whose websites come under a DDoS attack.  “Because we’re set up to speed up traffic to the site, we’re also able to protect it from attack,” Donahue explains. “Cloudflare effectively stands in between those attacking devices and your server.”

Promoting HTTPS

More recently Cloudflare has found another fundamental security use-case for its technologies: making digital certificates widely available and helping website publishers implement HTTPS — and have it on by default. This is happening as part of the browser companies’ drive to make HTTPS a de facto web standard.

Google on March 15 began penalizing websites that don’t have a current digital certificate by flagging them in Chrome browser as potentially unsafe. For now this is occurring only on certain versions of the latest iterations of Chrome browser. By July, Google’s plan will mark all http sites as “Not Secure,” effectively pushing the web to https by default. And something similar is expected to be implemented on Firefox, Internet Explorer and Safari.

“The people on Google’s Chrome team feel very passionate about protecting users and making sure that, not just things like using your credit card online is safe,” Donahue says,  “in certain parts of the world if you’re visiting the wrong websites you may be physically at risk from that local government.”

Pervasive use of HTTPS across the vast majority of websites is a laudable goal. It would mean people could have a high degree of confidence that the information they provide on the websites they click to are encrypting their data so it is not available in plaintext to a party who can interrupt the traffic on the web. This is a very important step forward in making the Internet as safe as it ought to be. Making sure end-users can identify and know the website they are visiting is the one it is purported to be is also important.

(Editor’s note: Last Watchdog has supplied consulting services to DigiCert.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone