2. Reason #1: Browsers Will Warn
Users of Non-HTTPS Connections
Chrome plans to warn users when
pages are insecure (non-https),
and will warn if an insecure page
asks for a password or credit card
with words “Not Secure”
Firefox plans a similar warning
for sites requiring passwords
and credit cards
Both will transition to a more
noticeable red triangle
3. Firefox Warnings
When passwords are requested over http:
https://blog.Mozilla.org/tanvi/2016/01/28/no -more-passwords-over-http-please/
http-password.badssl.com
DevEdition 46+
http-password.badssl.com
DevEdition 45
4. Chrome to Present Similar Warnings
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Treatment of HTTP pages with
password or credit card form fields:
Current (Chrome 53) login.example.com
Jan. 2017 (Chrome 56) login.example.comNot secure
5. Reason #2: Powerful Features
Only on HTTPS
Encrypted Media
Extension (DRM)
See: https://www.chromium.org/Home/chromium-
security/deprecating-powerful-features-on-insecure-origins
Geolocation
(Chrome 50)
Device
Motion/Orientation
Fullscreen
getUserMedia
(Camera/Mic)
6. Reason #3: HTTP2 Over HTTPS Only
Chrome, Firefox, IE, Edge,
Safari, Opera test comparison
0 20 40 60
HTTP/2
HTTP/1.1
Latency (in milliseconds)
0 5 10 15 20
HTTP/2
HTTP/1.1
LoadTime (in seconds)
See: https://http2.akamai.com/demo
7. Reason #4: Improved Referrer Data
Use HTTPS for your own site
and improve your referrer
data!
HTTP Website
Operator:
Source (HTTPS):
8. Reason #5: GMAIL Showing
Encryption Indicators
SMTP TLS Connection GUI in gmail
Use publicly trusted
certs for mail servers
NO ENCRYPTION WITH
ENCRYPTION
CERTIFICATE
of mail servers don’t
have a publicly trusted
SSL cert yet, according
to Netcraft
82%
9. Reason #6: HTTPS is Coming
to a Domain Near You
56%Use https
46%Participate in the
digital analytics
program
ALL .gov
OUT OF 1166
DOMAINS!
As of 10/17/16
10. What Do These Mean?
SymbolsThat Are Consistent,
Universal, Global, No Learning Curve!
12. CASC Predictions
Certificate usage will continue to
grow6.5 to 7.5M in 12 months
Fueled by https initiatives (search ranks, powerful
features, negative browser UI)
SNI servers will show
increased growth
SHA-1 usage will
decline dramatically
(and so will XP!)
Phishing using DV certs
will continue to increase
Chrome will be on the
bleeding edge of changes
and enforcements
IPv6 will finally be
adopted for CRL and
OCSP lookups
The SSL protocol is stronger now than ever, because of the number of researchers assessing it and the improvements that have been made.
What’s important is that we’re evolving, and we have a better unity than ever before in focusing on efforts that will earn the trust we seek from our customers and all users and improve internet security.
Increased threats towards CAs from sophisticated hacker networks, global cybercriminal organizations and state-sponsored espionage.
Pressure for global and increasingly tough standards - CA/B Forum, Network Security Guidelines.
Great need for research and education to help people better understand how to use SSL to its maximum benefit. There needs to be a leader and it can’t be just one CA, it must be a unified group.
The CASC’s mission is to advance internet security by promoting deployments and enhancements to publicly trusted certificates and through public education, collaboration, and advocacy.
Promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the internet in general. The CASC strives for the adoption of digital certificate best practices and the proper issuance and use of digital certificates by CAs, browsers, and other interested parties.
While not a standards-setting organization, the CASC works collaboratively to improve understanding of critical policies and their potential impact on the internet infrastructure.
What’s important is for people to realize that we as CAs can do more to improve SSL security, but not alone. Browsers, software vendors, web server administrators, even end users can contribute by getting educated about the key factors and working together to value security.
The CASC works actively with browsers, relying parties and other stakeholders to enhance internet security through practical, thoughtful measures and collaborative research.
In addition, the CASC supports the efforts of the CA/Browser Forum and other standards-setting bodies in their important work, and will continue to help develop reasonable and practical enhancements that improve trusted Secure Sockets Layer (SSL) and Certificate Authority (CA) operations.
Coinciding with its launch, the CASC is announcing the first of a planned series of educational and advocacy efforts related to best practices in SSL deployment with a focus on the importance of online certificate status checking and revocation.
Specifically, the CASC will highlight the benefits of OCSP stapling for web server administrators, software vendors, browser makers, and end-users through blog posts, conference presentations and other resources.