World Wide Web moves to HTTPS

13 November 2017

The World Wide Web is changing, to move to a default of connecting over the https protocol. Support for https was added to all Mosaic sites on 24 October. Below we explain what this change means and why it is happening.

For information on what has been done on the Mosaic platform in relation to this change, and what Site Owners need to know, see Mosaic moves to HTTPS-only.

What is http?

http is the communication protocol used by the World Wide Web. It’s what makes the links that you click in web pages into hypertext that take you to the page referenced by the link. ‘http’ stands for ‘hypertext transfer protocol’.

And https?

https adds a security layer to http, providing authentication of the website and webserver one is communicating with. It also makes communications over the web encrypted. Together this means you can have confidence that a website you are using is the real one and not a fake, and that your communications with it cannot be ‘overheard’ or forged. When you see the green padlock in the browser URL address bar, you are accessing a site via https.

What is Google doing now?

https has been around for a long time, and typically is always supported whenever a web user needs to share private or sensitive data with a website, e.g. to login to a system or to make payments. In other cases, http has, up to now, been the default. However, as concern over protecting privacy and identity online has increased the use of https for all sorts of web traffic has climbed in parallel, and now at least 50% of all web traffic is encrypted.

Google has now taken the view that https, rather than http, should become the default protocol for all web communication. As a consequence, it is doing 2 things:

  • On 24 October 2017, the update to version 62 of the Google Chrome web browser added a feature to display a ‘Not Secure’ alert in the address bar of all webpages accessed over http, instead of https, which contain an input box where a user may submit something. This alert appears whether or not the data entered is sensitive: e.g. a simple search box – as appears on every Mosaic website – will count. Google have not activated this feature yet, but plan to do so ‘soon’
    Example alert for a not secure page
  • Increasing the search ranking value on Google Search of a webpage that is available over https rather than http – i.e. webpages on sites supporting https will appear higher up search results

At the moment, the change for Chrome does not apply to other browsers (Firefox, Edge, Internet Explorer, Safari, etc.) but it is likely that https will become the new default everywhere before long. Eventually Google intend to create alerts for all pages not accessed via https, whatever their content.

Do Mosaic sites support https?

Yes, they do!

Initially, we only implemented support for https for sites that required web users to login to view web content restricted to Oxford members only, and for login for content editing on the platform domain. As of 24 October, Mosaic supports https for all sites using the primary domain, whether that is the platform address (sitename.web.ox.ac.uk) or a custom domain (usually www.sitename.ox.ac.uk).

In future, when a new website wants to add a custom domain as the primary domain we will need to make a change to our Security Certificate to add it so that https is supported on the custom domain. This requires purchasing an updated certificate from a 3rd party Trust Vendor, so it is particularly important that we are informed in good time to avoid delays to sites going live. At least 1 month’s notice is required.

secure