Plain HTTP Websites Labeled “Not Secure”

Plain HTTP Websites Labeled “Not Secure”

Is Your Site Labeled “Not Secure”?

As of the latest release of Chrome, sites not using TLS encryption are being called out in the address bar. Users will now see a “Not Secure” label when visiting sites over plain HTTP, even if the site does not transmit sensitive information.

HTTP Not Secure

HTTP May Impact Google Rankings

While this warning does not elevate the severity of lacking TLS encryption, it may cause customers and partners who do not understand the nuance of the situation to assume the business is “Not Secure” altogether.

In 2014 Google began to treat HTTPS use as a ranking signal for their search engine results. While this signal does not currently carry much weight, Google has expressed that it may strengthen the signal over time.

Using Valid Signed Certificates

VerSprite suggests enabling TLS with strong ciphers on all sites, both external and internal.

It is important to use valid, signed certificates even with internal assets so that employees do not become accustomed to bypassing security warnings, a practice that increased the likelihood of falling victim to phishing attacks.

To ensure systems have the most secure TLS configurations, review the suggestions given by Mozilla on their SSL Configuration Generator and Security/Server Side TLS pages.

Secure Apache Configuration

A secure Apache configuration for modern browsers might look like the following:

SSLProtocol1111111111111all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite1111111111ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLHonorCipherOrder11111on
SSLCompression1111111111off
SSLSessionTickets1111111off

After TLS has been implemented, regularly test the configurations using Qualys’ SSL Server Test or the testssl.sh script.

Threat & Vulnerability Management

VerSprite offers a new level of integrated security solutions that provide improved context around discovered vulnerabilities, 24/7 enterprise security monitoring, and experienced open-source intelligence gathering tradecraft. Learn More →