December 2nd, 2016
Keeping your personal information and credentials safe online is extremely important. You should only provide credentials and sensitive information (such as credit card numbers) to sites using HTTPS, because that data is encrypted between your computer and the site (HTTP or HTTPS can be found in that address bar of your browser at the beginning of the URL - see image below). Providing that same information to a site that uses HTTP (which is not encrypted) leaves open the possibility for that information to be captured as it traverses the internet between your system and the site. If that were to happen, any data transmitted to that site (such as your username, password, credit card information, etc.) would then be in the hands of a third party with malicious intent. They could then sell that information or use it to access your data such as your email, your pay information, make purchases on your account, gain access to University systems, or access University files and applications.
Changes Coming to Google Chrome and Mozilla Firefox in 2017
Beginning in January 2017, Google Chrome and Mozilla Firefox will take additional steps to make the web more secure for their users. Toward this end, Chrome and Firefox will add more descriptive security information in their address bars (see below) to help users determine if their connections are secure. Specifically, Chrome will now label any HTTP sites that collect passwords or credit card information as 'Not Secure' with the longer term plan to mark all HTTP sites unsecure in the future. Similarly, Firefox will update the address bar to display a gray padlock with a red strike through it for HTTP sites that include login forms. These new indicators are particularly important since all traffic to and from a website via HTTP is not encrypted. More information can be found on Google's Security Blog [1].
What Can I Do About It?
Website Visitors
- Be aware of the upcoming changes in Google Chrome and Mozilla Firefox, and understand the difference between HTTP and HTTPS sites
- If you frequently use HTTP sites that require a password, you should contact the site administrator to ensure they are taking steps to migrate to HTTPS
- Always update Chrome and Firefox when new security patches are released. Better still, configure Chrome to automatically update [2] (Firefox is setup to do so by default).
Website Administrators
Website Administrators have a more important role, and should take this opportunity to better protect their user community. Security best practice is to use HTTPS for all sites, especially those that require authentication or that collect user data. If your site is still using HTTP, begin investigating how to migrate to HTTPS. This will not only protect the user data submitted on your site, but Google also uses HTTPS as a ranking signal [3] for search results - the higher the security, the better the ranking.
CCS has a number of ways we can assist with this migration. Through our SSL Certificate Administration Service [4], we can assist you with getting an SSL certificate for your site (potentially at no cost) and integrating your site with the University's Single Sign-On infrastructure. We have knowledgeable and helpful experts who will work with you and your team on things like setting up virtual servers, configuring your webserver, or taking advantage of our hosting solutions.
Written by: Stephen Willem (Manager, CCS Information Security)