Application Security Testing: An Integral Part of DevOps
I do a LOT of Web application development, and as such I need to keep up with the news of what's happening in the Web world. This can be very difficult at times due to the speed things move; however, I try!
Anyway, this leads me to today's editorial.
You may or may not know that we are on the verge of seeing HTTP version 2 going mainstream. Why should you care? Simply put, HTTP is the protocol/system that powers everything on the Web today. Currently, most sites and services are running on HTTP Version 1.1. This, however, is changing at quite a rapid pace.
My advice today is not about HTTP version 2, but more about "secure Web sites." That is, the Web sites that need certificates.
When you use a certificate with your site, you're actually using something called HTTPS. The S on the end means secure, so it's normal HTTP, but it's also secured. It's secured by means of encryption, and this is where the certificate you mention is important. The certificate is actually something called a "Public Key Pair," which is basically a 'password' in a form that's not known by humans, that's used to encrypt the data between your browser and the Web server.
When a Web user accesses anything that's HTTPS, the browser uses the certificate to encrypt the data, and the Web server then uses its own copy, on the other end, to decrypt the data. Because of this encryption, anyone who has access to the data between the browser and the Web server handing the pages or Web application won't be able to make sense of the data.
This is why Web sites that ask you for passwords put things like signing into the site under HTTPS control. It's basically so no that one can intercept your password.
For years, it has worked that pages that are not sensitive go over regular HTTP and don't get encrypted, whereas sensitive information gets sent using HTTPS.
There is a BIG movement in the industry at the moment to get everyone to move permanently to using HTTPS all the time, for everything, not just for sensitive data. Additionally, HTTP Version 2 is secure all of the time for everything it does. Under HTTP version 2, there is no unencrypted data; everything between browser and Web server is secure all of the time, no matter what the data is.
Because of this, ALL the major players in the industry are trying to push Web site and Web application owners towards an HTTPS future. Big search engines, like Google, are expected to start treating Web sites and applications that still use regular HTTP as though they are dangerous sites.
The "This Site Is Unsafe" Warning Message
You might have seen the "This site is unsafe because it's known to host viruses," red page in Chrome (and Firefox). This warning is letting you know that, if you proceed, there's a big chance that you'll get into some kind of sticky situation!
The plan is that all of the major browsers will be giving this type of warning when you visit a site that does not use HTTPS for everything. This means that if your site is still using HTTP 1.1, users coming to your site are going to see Google search, Chrome Browser, Firefox Browser (and others) stating that visiting your site will be dangerous and might harm their PC. This will be the case if you are not using HTTPS on every single page of the site.
Furthermore, Google is also planning on penalizing any sites that when indexed page does not use HTTPS. This means your site pages will be lower in the search result rankings. These changes are planned to go into operation sometime this year.
In a nutshell, if your site does not go fully HTTPS on every page, all the browsers will start reporting it as dangerous, and search hits will be intentionally be altered to place the sites lower than they would be normally. Every site needs to have new certificates, and every page in each of those sites needs to be encrypted using those certificates. This needs to happen in the near future; otherwise, you're going to see an increase in reports of "Error Screens" in browsers when accessing Copy Cache and other sites.