As of the latest release of Chrome, sites not using TLS encryption are being called out in the address bar. Users will now see a “Not Secure” label when visiting sites over plain HTTP, even if the site does not transmit sensitive information.
While this warning does not elevate the severity of lacking TLS encryption, it may cause customers and partners who do not understand the nuance of the situation to assume the business is “Not Secure” altogether.
In 2014 Google began to treat HTTPS use as a ranking signal for their search engine results. While this signal does not currently carry much weight, Google has expressed that it may strengthen the signal over time.
VerSprite suggests enabling TLS with strong ciphers on all sites, both external and internal.
It is important to use valid, signed certificates even with internal assets so that employees do not become accustomed to bypassing security warnings, a practice that increased the likelihood of falling victim to phishing attacks.
A secure Apache configuration for modern browsers might look like the following:
SSLProtocol1111111111111all -SSLv3 -TLSv1 -TLSv1.1
At VerSprite, we approach security from a holistic risk management perspective, understanding security from business and attacker perspectives.
Our approach goes beyond assessing security controls. We examine credible threats to understand the likelihood of a real-world abuse case and measure the magnitude of business impact if a breach should occur. By developing a holistic business risk view, security decisions become business decisions. Explore Security Offerings →