Recently I changed my web site over to being exclusively served via HTTPS (HTTP Secure). This post details the reasons for the change over from HTTP to HTTPS.
When accessing a site via HTTPS, no information (except IP Address and Port Number of the web server) sent between client and server can be intercepted and pumped for profiling purposes (advertising, dragnet surveillance, etc) or fraud (credit card number, social security number, etc). HTTPS substantially lowers the value of eavesdropping on the communication between the browser and website since all that an eavesdropper can possibly obtain is the domain which the user was connected to, how long the session was and how much data was transferred. The content which was exchanged remains private. This is a must in cases where sensitive information is being exchanged: passwords, bank account numbers, etc. Potential eavesdroppers can include someone else connected to the same Wi-Fi access point or the ISP (Internet Service Provider).
The website appears as it was intended. Network routers and ISPs can pump their own content into sites. (ads, trackers, etc). This is known as content hijacking and, in my opinion, is totally disrespectful to the content consumers and providers of the Internet.
Here are a few examples of content hijacking:
Verizon injected tracking headers into every request that their customers made regardless of whether it was through a web browser or another application. Telecom companies call this practice “header enrichment” and to make matters even worse the tracking headers can be used by any website or embedded third party on a website to track users across the Internet. For example, Twitter’s mobile advertising arm, MoPub, utilized Verizon’s tracking header for it’s own tracking and targeted ads.
Comcast has injected pop-ups where they do not belong for websites served over HTTP. Comcast has used these pop-up ads to try to sell the user on upgrading their service or just to promote it’s offerings while the user is browsing the web.
In regards to the free Wi-Fi hotspots being monetized via ads, one might be a bit sympathetic, however, consider the following:
- It is not the router owner’s website to modify and deface with advertisements. Imagine if a bookstore modified books and then sold those to customers as the real thing without the consent of the author.
Personally, I made a decision to not serve ads on my personal blog and would like to keep things that way.
The user receives confirmation via a certification authority (CA) which is a trusted third-party that verifies for the user that they are indeed communicating with the website that they intended to access as opposed to an impostor (via a Man-in-the-Middle attack). In essence, the CA vouches for the identity of the website so the browser can let the user know that they have visited the actual real website.
Search engine optimization (SEO)
Search engines such as Google say they rank sites served via HTTPS higher. Cool.
HTTP/2 is the successor to HTTP 1.1 and decreases latency to improve page load speeds in web browsers. From a technical perspective, most client implementations of HTTP/2 only support HTTP/2 over TLS which makes encryption (HTTPS) a requirement in those circumstances. Firefox, Chrome, Safari, Opera, IE, Edge all will only support HTTP/2 over TLS. Encryption is not a mandatory requirement in the HTTP/2 protocol, but for website owners where most of the visitors will be using one of those browsers essentially makes HTTPS a prerequisite to making the jump to HTTP/2.
Next Steps (Where do we go from here?)
As a user, you can do the following:
- Use the HTTPS Everywhere browser extension for Firefox, Firefox for Android, Chrome and Opera! This extension was developed and is maintained by the EFF and rewrites requests from HTTP to HTTPS where available.
- Email the web master of a HTTP-only website and ask them when they plan to offer their website via HTTPS.
As a website owner, you can offer your website via HTTPS. In order to encourage websites to adopt HTTPS, the Let’s Encrypt CA was started by the EFF, Mozilla and others. Let’s Encrypt issues free Domain Validation (DV) certificates so any website can enable secure HTTPS connections with no cost.
As a web site owner myself, I find it is important to protect visitors from eavesdropping, content hijacking and to give them a reasonable guarantee that they are communicating with the real website.
Note about Mixed Content (HTTP/HTTPS) sites
If the mixed content is images, audio, video then:
- Eavesdropper: Can infer what page a user is visiting by examining the media being requested. For example, a particular image may only be served on a particular page.
- Content Hijacker: Can substitute the media with their own. For example, if the buttons on a page are images, then the content hijacker could swap the “Yes” and “No” buttons or “OK” and “Cancel” buttons.
- Eavesdropper: Pretty much the same as above.
Thanks for reading and if you have any questions or corrections to suggest please contact me.