Recently I changed my web site over to being exclusively served via HTTPS (HTTP Secure). This post details the reasons for the change over from HTTP to HTTPS.
Privacy (Confidentiality)
When accessing a site via HTTPS, no information (except IP Address and Port Number of the web server) sent between client and server can be intercepted and pumped for profiling purposes (advertising, dragnet surveillance, etc) or fraud (credit card number, social security number, etc). HTTPS substantially lowers the value of eavesdropping on the communication between the browser and website since all that an eavesdropper can possibly obtain is the domain which the user was connected to, how long the session was and how much data was transferred. The content which was exchanged remains private. This is a must in cases where sensitive information is being exchanged: passwords, bank account numbers, etc. Potential eavesdroppers can include someone else connected to the same Wi-Fi access point or the ISP (Internet Service Provider).
Integrity
The website appears as it was intended. Network routers and ISPs can pump their own content into sites. (ads, trackers, etc). This is known as content hijacking and, in my opinion, is totally disrespectful to the content consumers and providers of the Internet.
Here are a few examples of content hijacking:
Verizon injected tracking headers into every request that their customers made regardless of whether it was through a web browser or another application. Telecom companies call this practice “header enrichment” and to make matters even worse the tracking headers can be used by any website or embedded third party on a website to track users across the Internet. For example, Twitter’s mobile advertising arm, MoPub, utilized Verizon’s tracking header for it’s own tracking and targeted ads.
Comcast has injected pop-ups where they do not belong for websites served over HTTP. Comcast has used these pop-up ads to try to sell the user on upgrading their service or just to promote it’s offerings while the user is browsing the web.
Comcast has also injected ads onto sites served over HTTP for users utilizing their free Wi-Fi hotspots. AT&T has injected ads as well with their complimentary Wi-Fi hotspots.
In regards to the free Wi-Fi hotspots being monetized via ads, one might be a bit sympathetic, however, consider the following:
- It is not the router owner’s website to modify and deface with advertisements. Imagine if a bookstore modified books and then sold those to customers as the real thing without the consent of the author.
- Inserting ads via JavaScript can lead to security issues as the script could become compromised leading to user information being stolen. The script also could create vulnerabilities on a web page either directly or indirectly through elements interacting with the code incidentally causing key functionality being broken on the page.
Personally, I made a decision to not serve ads on my personal blog and would like to keep things that way.
Authentication
The user receives confirmation via a certification authority (CA) which is a trusted third-party that verifies for the user that they are indeed communicating with the website that they intended to access as opposed to an impostor (via a Man-in-the-Middle attack). In essence, the CA vouches for the identity of the website so the browser can let the user know that they have visited the actual real website.
Search engine optimization (SEO)
Search engines such as Google say they rank sites served via HTTPS higher. Cool.
HTTP/2
HTTP/2 is the successor to HTTP 1.1 and decreases latency to improve page load speeds in web browsers. From a technical perspective, most client implementations of HTTP/2 only support HTTP/2 over TLS which makes encryption (HTTPS) a requirement in those circumstances. Firefox, Chrome, Safari, Opera, IE, Edge all will only support HTTP/2 over TLS. Encryption is not a mandatory requirement in the HTTP/2 protocol, but for website owners where most of the visitors will be using one of those browsers essentially makes HTTPS a prerequisite to making the jump to HTTP/2.
Next Steps (Where do we go from here?)
As a user, you can do the following:
- Use the HTTPS Everywhere browser extension for Firefox, Firefox for Android, Chrome and Opera! This extension was developed and is maintained by the EFF and rewrites requests from HTTP to HTTPS where available.
- Email the web master of a HTTP-only website and ask them when they plan to offer their website via HTTPS.
As a website owner, you can offer your website via HTTPS. In order to encourage websites to adopt HTTPS, the Let’s Encrypt CA was started by the EFF, Mozilla and others. Let’s Encrypt issues free Domain Validation (DV) certificates so any website can enable secure HTTPS connections with no cost.
As a web site owner myself, I find it is important to protect visitors from eavesdropping, content hijacking and to give them a reasonable guarantee that they are communicating with the real website.
Note about Mixed Content (HTTP/HTTPS) sites
As one browses the web, they may notice their browser complain about “mixed content” which means that the website that they are visiting is serving some content over HTTP on an HTTPS page. For example, a page on a blog may serve the article over HTTPS, but the same page may be also be loading additional images, JavaScript, CSS style sheets, etc which are served over HTTP. While “mixed content” is somewhat more secure than pure HTTP, it is not much more secure. As this excellent Mozilla Developer Network article on Mixed Content explains, the level of risk to eavesdropping and content hijacking depends on what the mixed content is.
If the mixed content is images, audio, video then:
- Eavesdropper: Can infer what page a user is visiting by examining the media being requested. For example, a particular image may only be served on a particular page.
- Content Hijacker: Can substitute the media with their own. For example, if the buttons on a page are images, then the content hijacker could swap the “Yes” and “No” buttons or “OK” and “Cancel” buttons.
If the mixed content is JavaScript, CSS style sheets, iframes then:
- Eavesdropper: Pretty much the same as above.
- Content Hijacker: Insert malicious scripts or redirect the user to malicious sites. For example, inserting JavaScript to steal credentials and other sensitive information about the user or to install malware on the user’s machine.
Concluding Remarks
Thanks for reading and if you have any questions or corrections to suggest please contact me.