Security Culture

Posted in tech | Tagged , ,

Most websites today run on non-secure connections (http instead of https) most of the time – and that’s just fine. Browsing pictures of cheeseburger-craving cats doesn’t require a secure connection because the user isn’t sharing any sensitive information. Even e-commerce sites usually only use secure connections for the actual transactions- no one cares what shoes you’re looking at but they might be interested in your credit card information so it’s the credit card transaction that e-commerce sites protect by forcing a secure connection.

This minimalist approach to security has been driven partly by user indifference but also partly because SSL certificates (which allow sites to encrypt user data and enable secure connections) have historically been fairly expensive – though that is now changing rapidly. After all, why spend the money on a certificate for your site if it’s not necessary and your users won’t derive any tangible benefit from it? So while a minority of internet users might have preferred to browse in secure mode all the time, it simply wasn’t an option on many websites.

All of this is interesting if you’re into tech trivia but not something most developers have spent a lot of time thinking about. For social media developers,however, that’s changing and changing fast. Facebook has recently announced that they’re going to require that all app developers in their ecosystem be able to serve both secure and non-secure versions of each tab. They’ve also introduced a ‘secure browsing mode’ which allows users to check a box once and have their entire Facebook experience automatically shifted from http to https.

Continue reading