Last week the White House’s web team announced that it was enabling HTTPS by default, also known as Always On SSL (AOSSL). The FTC did the same thing a week before that.
The @Whitehouse is taking steps to improve your privacy. Starting today we use HTTPS by default: https://t.co/V14GDg1Ne1
— WH.gov (@WHWeb) March 11, 2015
AOSSL isn’t a new concept for high profile sites like Google, Facebook, or banking websites whose main purposes are to collect and display sensitive information, but whitehouse.gov and ftc.gov have hardly any form submission pages, and no login or financial information. So why would two largely content-based websites choose to turn on AOSSL? And should you consider doing the same?
What is Always On SSL (AOSSL)?
AOSSL is basically exactly what it sounds like – SSL is enabled across an entire website, including all pages, cookies, and sessions.
Why should you use AOSSL?
Most people probably associate SSL with login or payment screens – scenarios where you are entering confidential information (email, credit card details) that you don’t want falling into the wrong hands. So why enable SSL across an entire website, even on text-only pages?
- Identity verification – By clicking the padlock in the URL bar, visitors can verify that each page is legitimate and actually run by your business.
- Content integrity – Because they can see each page is legitimate and run by your business, visitors can be confident that the content included on the website is authentic. Identity verification and content integrity are particularly important given the increasing frequency of phishing and spoof websites.
- Protection from “sitejacking” – Non-SSL protected sites can be vulnerable to sitejacking, a type of attack that involves hackers intercepting cookies transmitted over non-secure connections.
- Improve Google PageRank – Last summer Google announced that https is now used as a ranking signal.
Sidenote: Why you shouldn't use SHA-1
While we applaud whitehouse.gov for enabling Always On SSL, we couldn’t help but notice that they’re currently using a SHA-1 certificate!
As we’ve previously discussed, SHA1 usage is deprecated and best practice is to issue new certificates using SHA2. Google has been at the forefront of the movement to SHA2 and, starting with Chrome 39 last November, has been implementing UI changes that degrade the appearance of sites using SHA1 certificates in an attempt to encourage website operators to upgrade.
The UI changes are dependent on the version of Chrome you’re using and when the certificates expires (specifics can be found on the Google blog). For now, www.whitehouse.gov still displays the normal https-secured UI (green padlock and https), but if you click the padlock, you’ll see a warning that the site is using outdate security settings.
Future Chrome versions will include more alarming warnings for SHA1 certificates. If your website currently uses a SHA-1 certificate that expires after 12/31/2015 (e.g., whitehouse.gov), we strongly suggest you reissue you certificate to SHA-256 to avoid a degraded user experience in new browser releases. Not sure if you are currently using a SHA-1 certificate? Find out with our free configuration checker - https://sslcheck.globalsign.com/en_US.
Note: It’s not just Google that is going to start penalizing websites that use SHA-1, Mozilla also announced in the fall that they are planning to implement security warnings with new versions of Firefox coming out in 2015.
We’re excited to see more websites, especially those run by high profile government agencies, adopting Always On SSL, and encourage other site owners to follow suit….just make sure you’re using the most up to date configuration best practices.
