Crashtest Security Blog

Does Chrome hate website providers?

Feb 16, 2018 9:34:00 AM / by Daniel Schosser

Why blocking ads and enforcing https is a good thing

 

What’s happening?

 

Over the last days, there were multiple announcements about the Chrome browser and its new features. From an integrated ad-blocker to trust warnings on websites with no HTTPS encryption. But what is all the fuzz really about?

Is the Chrome team trying to remove my income from the ad campaigns on my website? In short: No they don’t! Google Chromes new feature targets advertisement which is redirecting the focus of the user away from the content of the page. In case your website is using normal ad-displays they won’t be affected by the new features in any way. So called “tab-unders” are an example for advertisements that will be blocked starting with the release of Google Chrome 64. They represent all kinds of ads, which open up new tabs without asking the user AND in most cases also redirect the user to this new tab. While a user currently only has the option to close the newly opened tab to get back to the original site, these advertisement tabs either won’t open at all or the user will get a UI dialog to ask for permission. Besides “tab-unders” also animated and intrusive ads will be blocked.

 
Overwhelmed by ads (Source: Altered Carbon — Episode 1 “Out of the Past” [37:19], ©Netflix 2018)

Ok, so I still can rely on my ad-campaign income, but what about the enforcement of SSL encryption on my website?

Way back in 2014 Google started to improve the ranking of websites that provide SSL encryption compared to pages that do not. Since then the percentage of encrypted website traffic through the Chrome browser increased to 68 percent on windows and even 78 percent on mac. Starting in July 2018 Chrome will mark websites as “not secure” if they do not provide any SSL encryption. But what does it mean, to be “not secure”?

 
Current display of encryption state (Google Chrome 64)

Well, depending on the features your web application provides, being “not secure” might not mean anything, but it can also increase the mistrust new users might have in using your application. A simple static website that does not provide any options to interact might not benefit from an SSL certificate. On the other hand, any non-encrypted traffic can be monitored and is especially interesting for attackers if it contains user provided data. This includes passwords, credit card information and other valuable information. Even though, there might not be a technical benefit in having an encryption on a static website, people will still be more likely to use it if they don’t see the “not secure” label. If you handle confidential user input and don’t provide encryption already, shame on you! Now is the time to change it!

 
Display of encryption starting in July 2018 (Source: Chromium)

 

I can’t afford an SSL certificate! Last time I checked they were like 100$ a year!

First of all it is important to know that there are multiple types of SSL certificates and every certificate is signed by a registrar. Some of them are more trustworthy then others and also the prices differ from very cheap to very expensive.

But wait! There are also free ones, even the smallest website can afford. Projects like Let’s Encrypt grew rapidly over the last years and have proven, that it is possible to provide free SSL certificates to more than 100 million domains. As a technically experienced user, it is easy to obtain and install a valid certificate within a few minutes. Lots of web-hosters also provide easy one-click options to automatically create a valid Let’s Encrypt certificate during account creation and therefore are even easier to use. In summary a valid SSL Certificate only costs me a few minutes and not a single dollar.

 

So, I just click install and I am done?

Basically, that’s it! Larger corporations probably won’t go for a free certificate but instead want to increase the trust level even further. Higher tiers of SSL Certificates also show the company name within the certificate and verify certain information before they can be provided to the company. A simple free certificate mostly doesn’t verify any user or company information and only validates the domain name.

 

Now that Google Chrome says my application is “Secure”, am I done?

The traffic between clients and your application is now encrypted and cannot be easily monitored and analyzed, but there is more!

There are multiple ways of encrypting the data, so called Cipher Suites. For most certificates the owner of the certificate can choose which suites to use and overwrite the default values, which are not always the best. You can choose the ciphers, disable certain legacy features, which contain vulnerabilities and enable others that are missing by default.

We gathered a list of possible improvements for configuring your SSL certificate in our knowledge base. If you are interested in validating the security of your existing Certificate, we also provide an extensive test in our free package of the Crashtest Security Suite. After just a few minutes, we list all findings and provide you with the information you need to improve it.

Let’s not only encrypt, but also do it right!

Topics: VulnerabilityAssessment

Daniel Schosser

Written by Daniel Schosser