It's time to turn on HTTPS: The benefits are well worth the effort
Credit to Author: Lucian Constantin| Date: Tue, 14 Mar 2017 05:30:00 -0700
After Edward Snowden revealed that online communications were being collected en masse by some of the world’s most powerful intelligence agencies, security experts called for encryption of the entire web. Four years later, it looks like we’ve passed the tipping point.
The number of websites supporting HTTPS — HTTP over encrypted SSL/TLS connections — has skyrocketed over the past year. There are many benefits to turning on encryption, so if your website does not yet support the technology it’s time to make the move.
Recent telemetry data from Google Chrome and Mozilla Firefox shows that over 50 percent of web traffic is now encrypted, both on computers and mobile devices. Most of that traffic goes to a few large websites, but even so, it’s a jump of over 10 percentage points since a year ago.
Meanwhile, a February survey of the world’s top 1 million most-visited websites revealed that 20 percent of them supported HTTPS, compared to around 14 percent back in August. That’s an impressive growth rate of over 40 percent in half a year.
There are a number of reasons for the accelerated adoption of HTTPS. Some of the past deployment hurdles are easier to overcome, the costs have come down and there are many incentives to do it now.
One of the longstanding concerns about HTTPS is its perceived negative impact on server resources and page load times. After all, encryption usually comes with a performance penalty so why would HTTPS be any different?
As it turns out, thanks to improvements to both server and client software over the years, the impact of TLS (Transport Layer Security) encryption is negligible at best.
After Google turned on HTTPS for Gmail in 2010, the company observed only an additional 1 percent CPU load on its servers, under 10KB of extra memory per connection and less than 2 percent network overhead. The deployment didn’t require any additional machines or special hardware.
Not only is the impact minor on the back end, but browsing is actually faster for users when HTTPS is turned on. The reason is that modern browsers support HTTP/2, a major revision of the HTTP protocol that brings many performance improvements.
Even though encryption is not a requirement in the official HTTP/2 specification, browser makers have made it mandatory in their implementations. The bottom line is that if you want your users to benefit from the major speed boost in HTTP/2, you need to deploy HTTPS on your website.
The cost of obtaining and renewing the digital certificates needed to deploy HTTPS has been a concern in the past, and rightfully so. Many small businesses and non-commercial entities have likely stayed away from HTTPS for this very reason, and even larger companies with many websites and domains in their administration might have been worried about the financial impact.
Fortunately, that should no longer be an issue, at least for websites that don’t require extended validation (EV) certificates. The nonprofit Let’s Encrypt certificate authority launched last year provides domain validation (DV) certificates for free through a process that’s completely automated and easy to use.
From a cryptography and security standpoint there is no difference between DV and EV certificates. The only difference is that the latter requires a stricter verification of the organization requesting the certificate and allows the certificate owner’s name to appear in the browser address bar next to the HTTPS visual indicator.
In addition to Let’s Encrypt, some content delivery networks and cloud services providers, including CloudFlare and Amazon, offer free TLS certificates to their customers. Websites hosted on the WordPress.com platform also get HTTPS by default and free certificates even if they use custom domains.
Deploying HTTPS used to be fraught with peril. Due to poor documentation, continued support for weak algorithms in crypto libraries and new attacks constantly being discovered, there used to be a high chance for server administrators to end up with vulnerable HTTPS deployments. And bad HTTPS is worse than no HTTPS, because it gives a false sense of security to users.
Some of those problems are being resolved. Now there are websites like Qualys SSL Labs that provide free documentation on TLS best practices, as well as testing tools to discover misconfigurations and weaknesses in existing deployments. Meanwhile, other websites provide resources on TLS performance optimizations.
Pulling in external resources like images, videos and JavaScript code over unencrypted connections into an HTTPS website will trigger security alerts in users’ browsers. And because many websites depend on external content for their functionality — commenting systems, web analytics, advertising etc. — the mixed content issue has kept many of them from migrating to HTTPS.
The good news is that a large number of third-party services, including ad networks, have added HTTPS support in recent years. The proof that this is not as bad a problem as it used to be is that many online media websites have already switched to HTTPS, even though such websites are highly dependent on advertising revenue.
Webmasters can use the Content Security Policy (CSP) header to discover insecure resources on their web pages and either rewrite their origin on the fly or block them. The HTTP Strict Transport Security (HSTS) can also be used to avoid mixed content issues, as explained by security researcher Scott Helme in a blog post.
Other possibilities include using a service like CloudFlare, which acts as front proxy between users and the web server that actually hosts the website. CloudFlare encrypts the web traffic between end users and its proxy server, even if the connection between the proxy and the hosting web servers remains unencrypted. This secures only half of the connection, but it’s still better than nothing and will prevent traffic interception and manipulation close to the user.
One of the major benefits of HTTPS is that it protects users against man-in-the-middle (MitM) attacks that can be launched from compromised or insecure networks.
Hackers use such techniques to steal sensitive information from or to inject malicious content into web traffic. MitM attacks can also be done higher up in the internet infrastructure, for example at the country level — the great firewall of China — or even at the continental level, as with the NSA’s surveillance activities.
Furthermore, some Wi-Fi hotspot operators and even some ISPs use MitM techniques to inject ads or various messages into users’ unencrypted web traffic. HTTPS can prevent this — even if this content is not malicious in nature, users might associate it with the website they’re visiting, which could hurt the website’s reputation.
Google started to use HTTPS as a search ranking signal in 2014, meaning that websites available over HTTPS get an advantage in search results over those that don’t encrypt their connections. While the impact of this ranking signal is currently small, Google plans to strengthen it over time to encourage HTTPS adoption.
Browser makers are also pushing for HTTPS quite aggressively. The latest versions of Chrome and Firefox display warnings if users attempt to enter passwords or credit card details into forms loaded on non-HTTPS pages.
In Chrome, websites that don’t use HTTPS are prevented from accessing features like geolocation, device motion and orientation or the application cache. The Chrome developers plan to go even further and eventually display a Not Secure indicator in the address bar for all non-encrypted websites.
“As a community I feel we’ve done a lot of good in this area, explaining why everybody should use HTTPS,” said Ivan Ristic, former head of the Qualys SSL Labs and author of a book, Bulletproof SSL and TLS. “Especially browsers, with their indicators and constant improvements, are compelling companies to switch.”
According to Ristic, some adoption hurdles remain, such as having to deal with legacy systems or third-party services that don’t support HTTPS yet. However, he feels that there are now more incentives, as well as pressure from the general public to support encryption, making the effort worth it.
“I feel that, as more sites migrate, it’s getting easier,” he said.
The upcoming TLS 1.3 specification will make HTTPS deployment even easier. While still a draft, the new spec has already been implemented and turned on by default in the latest versions of Chrome and Firefox. This new version of the protocol removes support for old and insecure cryptographic algorithms, making it much harder to end up with vulnerable configurations. It also brings significant speed improvements due to a simplified handshake mechanism.
It’s worth keeping in mind, though, that since HTTPS is now easy to deploy, it can also be easily abused, so it’s also important to educate users about what the technology offers and what it doesn’t.
People tend to have a greater degree of confidence in a website when they see the green padlock that indicates the presence of HTTPS in the browser. Since certificates are now easily obtainable, a lot of attackers are taking advantage of this misplaced trust and are setting up malicious HTTPS websites.
“When it comes to the issue of trust, one of the things we have to be clear about is that the presence of a padlock and HTTPS don’t really mean anything about the reliability of a website and doesn’t even say anything about who is running it,” web security expert and trainer Troy Hunt said.
Organizations will have to deal with the abuse of HTTPS too and they’ll likely start inspecting such traffic on their local networks, if they aren’t already, because encrypted connections could hide malware.