Google offers free DDoS protection services, and is removing HTTPS padlock

News by Robert Abel

Googler olls out afree DDoS protection platform 'Project Shield' to protect news sites and free expression to defend the democratic process. Its also removing its 'green padlock' for HTTPS websites; HTTP sites to be marked 'insecure'

Google has rolled out a free DDoS protection platform called Project Shield to protect news sites and free expression to defend the democratic process.

The programme is accepting applications from news organisations, election monitoring organisations, and individual journalists and some political organisations

The service protects users from attackers using technology called a reverse proxy allows websites to route both legitimate and attack traffic through Google's infrastructure to ultimately filters harmful traffic by absorbing it through caching.

Impact on individual site traffic can vary as website performance depends on several factors but Google said the service can be turned on or off as quickly as any other DNS change.

“Some Project Shield users see better website performance because of Project Shield's caching features,” the company said in a blog describing the new service. Other users see slightly slower performance as traffic passes through Project Shield. ”

The service may also affect how some videos display on a user's site however those served through YouTube won't be affected.

Those concerned with privacy should know the program collects and stores user configuration settings and logs for traffic that is proxied through Project Shield but Google says said it only uses the site reader's IP address and other information to evaluate whether traffic is an attack and only retains aggregated metrics and details about specific attacks.

If a user deletes their site from the Project Shield dashboard, their information will also be deleted from Project Shield site configuration information and the project will no longer collect traffic data from the site.

User needs a google account to access the service and may not be notified in some attacks however will be alerted to larger-scale attack which any require active mitigation.

“Google's Project Shield should provide good protection,” Andrew Lloyd, President, Corero Network Security told SC Media. “What we tend to find is that shared cloud services are excellent for scrubbing the larger, prolonged DDoS attacks. 

He added that irrespective of motivation, DDoS attacks are frequently the tool of choice for the cyber-criminals looking to compromise a specific website and that the “DDoS for hire” market has made this criminal activity relatively straightforward, inexpensive and anonymous

Lloyd said it remains to be seen if Project Shield's protection can successfully detect and swiftly mitigate smaller attacks and that potential users should know that Google Shield is a “best efforts” free service without a service level agreement.

“Consequently, news organisations with a revenue generating subscriber base and/or advertisers who are paying to access a targeted audience will need more comprehensive real-time DDoS protection to be able to stay online during a cyber-attack,” Lloyd said. "That said, we welcome this Internet society enhancing initiative by Google.”

Users should also understand the service won't protect users from hacking or malware.

HTTP sites to be marked 'insecure'

In a separate development Google says it will be removing its ‘green padlock' for HTTPS websites as of September, and will flag any non-HTTPS sites as insecure in Chrome from October.  Bleeping computer reports that Google will be marking all HTTP sites as "Not Secure" starting with Chrome 68, set for release in July.

Craig Stewart, Vice-President EMEA for Venafi emailed SC Media UK to comment: “As consumers, we have been trained to look for the green padlock to make sure the site we are putting our details into is secure and can be trusted, so the fact these are now being removed might create some confusion and concern – but people shouldn't worry, it's actually a sign that the internet is becoming more secure. The fact is, websites should be secure as the de facto standard; it's those sites that do not use HTTPS that should be brought to our attention so that we do not use them. When Chrome starts to flag any sites not using HTTPS as insecure, users will simply become used to expecting security as the default instead of checking for the padlock. This will pressure businesses to step up their game and improve security across the internet, which can only be a good thing."


He adds that as we've already seen from the depreciation of SHA-1 certificates, organisations are typically slow to react to warnings of this kind and can often underestimate the task at hand saying, "Many organisations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of. Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates. Unless organisations are able to identify where their HTTP certificates are, and then have the flexibility to revoke and replace these with HTTPS certificates, they will be faced with customers, partners and prospects refusing to access a seemingly insecure site. Businesses have less than six months to make sure they've resolved the situation, so better get started now.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews