Get ready: Chrome will be flagging a lot more pages as insecure
Earlier this year, we reported on how Chrome and Firefox were encouraging wider adoption of HTTPS by displaying warnings on certain HTTP pages.
Specifically, pages that included forms where login credentials or credit card details could be entered would be labelled as not secure.
From October 2017, Chrome is taking this policy one step further.
It will now show a security warning for any HTTP page when users enter text into a form. It will also show a warning for any HTTP page in incognito mode.
It should be said that this has long been part of the plan, and eventually, we can expect to see all HTTP pages flagged as insecure.
In the meantime, October’s change could have a huge impact on sites that haven’t yet upgraded to HTTPS. For example, an HTTP site that contains a search box at the top of every page will see warnings triggered for all the pages on its site.
With more than 60% of market share on desktop, if any browser vendor has the power to change site owners’ behaviour, it is Google.
The performance impact
Other things being equal, an HTTPS site will be almost inevitably be slower than its less secure counterpart, thanks to the extra round-trips required for the TLS handshake. What’s more, this effect will be more noticeable on high-latency mobile networks.
Establishing a TCP connection
Establishing a connection over TLS
Fortunately, there are plenty of ways to make TLS fast.
Here are just a few:
OCSP stands for Online Certificate Status Protocol. This is a way to ensure that a site’s TLS certificate is valid. Sometimes, the client does this job by querying the OCSP server. However, this is far from ideal, as it means the client has to retrieve information from a third-party before it can even start getting content from the website.
OCSP stapling works by passing responsibility for certificate verification from the client to the server. Instead of the client having to do the look-up when it accesses the site, the server carries out the look-up from time to time, so it always has a signed OCSP response ready to return to the client during the TLS handshake.
TLS session resumption
TLS session resumption works by storing information about a TLS connection that’s already been established. This allows a client to reconnect to a host with an abbreviated TLS handshake, cutting the time it takes to make the connection.
HSTS stands for HTTP Strict Transport Security. It’s designed as a security enhancement to help prevent man-in-the-middle attacks, but there’s also a knock-on benefit for performance.
Essentially, it means telling the browser that it should only ever access your website over HTTPS. This saves the cost of a redirect when someone visits the HTTP version.
There are two ways to implement HSTS.
One is through a response header, although the disadvantage of this is that it will work only after the first visit someone makes to your site.
The other is by adding your site to a list of HTTPS-only domains. However, you should only take this second route if you’re confident you won’t have to fall back to the HTTP version, as it’s not quick to undo.
HTTP/2, now more commonly known simply as H2, offers a range of performance enhancements.
Multiple requests and responses can be multiplexed over a single connection, reducing the risk that one slow-loading asset will block other resources.
Headers are compressed, reducing the size of requests and responses.
Other features, such as server push, aren’t quite there yet, but are poised to offer even more performance benefits.
But you can only use H2 over HTTPS.
A more secure future
It’s clear that we’re edging ever closer to an HTTPS-only web, delivering more privacy and better security for all web users. All browser vendors, but Google in particular, seem intent on accelerating the pace of change.
So the rest of us had better be ready.
If you’d like to make sure your HTTPS site is as fast as it should be, we have a number of web performance experts on hand to help.
Published date:  28 September 2017
Written by:  Alex Painter