Since Google’s I/O developer conference in June 2014, the tech giant has been encouraging the use of HTTPS everywhere. And because this encouragement is coming from Google, it has created significant reverberations across the web. This article expands on the the concepts outlined in HTTPS Fundamentals and then examines why HTTPS is important for all pages of all websites, even when there is no sensitive information to protect.
Because security is such a broad term, throughout this article I will be focused on a modified version of the classic CIA triad, which is at the heart of information security. This CIA is unrelated to the better known American intelligence agency, although the Central Intelligence Agency certainly employs these concepts.
- Confidentiality - is the communication private, or can anyone read the data?
- Integrity - has the original data been tampered with?
- Authenticity – are the servers who they claim to be?
In this case I am replacing the classic CIA aspect of Availability with Authenticity because server availability goes beyond the scope of this article. Although, as we will see later, server availability is indirectly improved when using HTTPS.
HTTP over TLS
Before we look at a few examples, I would like to note one other technical item. When HTTP (Hypertext Transfer Protocol) runs on top of TLS (Transport Layer Security), it becomes HTTPS (Hypertext Transfer Protocol Secure). TLS is a protocol designed to provide secure communications across the web and is a substantial topic in itself. The take away here is when I mention HTTPS, I am actually referring to HTTP running over TLS - just more concisely.
If this terminology is new to you (especially HTTP and HTTPS), I suggest reading my previous article HTTPS Fundamentals and then build upon those base concepts by continuing with this article.
HTTP Fails CIA
Unsecure HTTP fails on all three CIA counts. Information over HTTP is not confidential, it lacks integrity and cannot be authenticated. I have put together a simple diagram illustrating how, without drawing anyone’s attention, a passive attacker can easily listen to HTTP traffic passing over a public Wi-Fi network.
This same passive attacker is easily defeated when data is encrypted over a secure HTTPS connection.
Encryption alone is not enough to secure a website/server from an active attacker. Unlike a passive attacker, an active attacker can redirect traffic to a phony server under their control. This phony server essentially impersonates the legitimate server that users want to reach. Once an active attacker has accomplished this, they are free to collect any information the user submits - regardless if the channel is encrypted or not.
Defeating Active Attackers
Verifying the server’s authenticity is key to defeating active attackers. Fortunately, TLS has this covered as well. As you recall, HTTPS is really just HTTP running over TLS. When HTTPS is implemented correctly, here is what happens to active attackers.
Because the legitimate server’s Certificate Authority (CA) verifies ownership of the domain (yourwebsite.com), an active attacker cannot fake the certificate. Encryption prevents the attacker from reading or modifying any intercepted data. In short, the entire CIA triad is satisfied and both passive and active attackers are defeated.
Many websites only employ HTTPS on pages that deal with sensitive information such as passwords and credit card numbers. While this is much better than using HTTP, it opens up all kinds of security vulnerabilities that can be exploited by attackers. Here is an example.
Start by thinking back to our example of passive attackers listening to passing HTTP traffic. If a financial institution only secures account pages, it may become clear to an attacker that this particular user does business with that particular financial institution. Now the attacker has a starting point.
Now say the attacker is able to discover the user’s favorite password by watching when they sign into an unrelated online service that fails to properly employ HTTPS. If that person uses the same password everywhere, the attacker already knows which bank to focus on.
Online banking is an obvious example where HTTPS needs to be everywhere, very few people find this controversial. But what about a personal blog or business website that does not deal with passwords or credit card numbers? Again, by monitoring the activities of any given person for a period of time, an attacker can build a narrative about this person.
Are they interested in buying stocks, life insurance, hiring a high-end web developer, shopping for a new luxury car? “Great,” thinks the attacker, “this person must have assets and therefore is a good target. I’ll keep watching until I have something more useful.” With HTTPS everywhere, the passive attacker is denied this valuable information.
As a bonus for protecting the privacy of your visitors, Google has publicly announced they are giving a small SEO (Search Engine Optimization) boost to websites that correctly employ HTTPS on all pages. Given the many benefits of HTTPS everywhere and Google’s desire to improve its privacy credibility, it is fair to say this small SEO boost will increase over time.
HTTPS Excuses Defeated
For the reasons outlined in this article, I strongly encourage all website owners to implement HTTPS everywhere. If you believe this will slow down your website or require extra hardware to support, then you should check out Is TLS Fast Yet? for help with performance optimization. If you believe certificates are too expensive, then I encourage you to take a look at Let’s Encrypt or Start SSL, where free certificates are available.
If the implementation of HTTPS everywhere is too technical for you, then ask your webmaster to take care of it. If your webmaster is unable to do so, hire a competent webmaster.
HTTPS Quality Check
You can check the quality of any HTTPS implementation with the free Qualys SSL Lab Server Test. As of this writing, cascadingmedia.com earned an “A” letter grade for its overall HTTPS implementation. For perspective, Bank of America earned a “B” from the same Qualys test. JPMorgan Chase also earned a “B”, however, some of their servers failed entirely. Makes one think twice about “bank level security”.
If you have any questions or comments about HTTPS everywhere, I can be reached on Twitter @BenjaminPatch. Until next time, take care and secure your website with HTTPS everywhere!← InSites