What’s so important that we should all stop using HTTP, and demand a world where all content, including funny cat videos, is delivered with TLS encryption? Since the beginning of the Internet, cat videos have been vectors for laughter, film art, and warm fuzzy feelings. So why would you need an encrypted connection to watch this shareable content?
Reason 1: Protect Yourself
HTTPS has a myriad of uses, the most prevalent among them being e-commerce, online banking and email. Most people associate HTTPS with protecting their data in transit so it can’t be intercepted and then sold or abused. While this continues to be important, HTTPS can also protect data from being manipulated.
Anyone with a sufficient budget and motive can purchase equipment to detect an unencrypted HTTP stream, intercept the traffic, replace it with whatever they desire, and pass it along to the intended target. This ranges from harmless ads on an open Wi-Fi network, phishing attacks, and perhaps most dangerous of them all, malware delivery.
For example, imagine clicking a video on a trusted site using a legitimate plugin, and silently being infected with malware. We’re not talking about a suspicious link, or a redirect, or a download – simply watching a video. I’m sorry to say, but that world is here and even our beloved cat videos can be vectors for malware. These existing and documented attacks are (for now) only in the hands of government groups. Though a research group at Ruhr University has released a paper detailing how anyone can build a similar undetectable network injection attack.
Network injection attack evades detection in most cases. Image: Ruhr University
It is clearly time to start the transition to HTTPS, but spreading this message is going to be a challenge. As it is now, HTTPS suffers from a lack of understanding that often completely negates its benefits. Everyone is familiar with the signs and symbols of HTTPS that include: reassuring padlock icons, annoying certificate name mismatch errors and the ubiquitous yet often disregarded security warnings.
Does the image above look familiar? You’ve probably clicked yes and no to this message countless times (unless you’ve disabled it). Does anyone really know what this means? Does anyone care? Unfortunately not – the search engine results for how to disable this warning far outweigh the search results explaining what it means.
A lot of users don’t fully understand the benefits and limitations of HTTPS, often ignoring or disabling warning messages about mixed-content delivery. Having some parts of the site delivered without encryption means a lot more than you may think. When explained in familiar terms, it's the equivalent of leaving your car doors locked but the windows rolled down.
After years of widespread use and if this message is still failing to change the behavior of web users, how can we expect awareness of the additional risks to resonate? We can’t and we shouldn’t. Instead, we should all push for HTTPS Everywhere. This strategy aims to remove the decisions and warning messages, by simply making HTTPS the replacement for HTTP.
It’s unfortunate that we now live in a world where grumpy cat could possibly be responsible for infecting your machine, but it’s true and we need to take action.
Reason 2: Protect Your Image and Limit Your Liability
As a content provider, one of the last things you need is to be blamed for spreading malware. Due to the nature of the HTTP injection attacks, almost any site using HTTP could be a vector, especially when sent over an open Wi-Fi network. In years past, ad-networks have been a convenient method for distributing malware completely unbeknownst to the site host. The damage is significant and can cause very real losses, but at least in the case of advertising, the end user might understand that it wasn’t the site host's fault for spreading malware.
In the case of HTTP injection attacks, fewer users will understand and even fewer still will forgive, because prevention is so simple. The overhead is low or non-existent as IaaS providers like AWS even provide SSL offloading with their Elastic Load Balancer at no additional cost.
Reason 3: Boost Your Search Engine Ranking
While big search engines may not be champions for privacy, they do take a strong stance on security. Google’s secure search initiative may come with questionable motivations (here and here), but it did result in an increased use of HTTPS across the web as its competitors followed suit. Now Google is rewarding sites for using HTTPS by ranking them higher in search results. This type of social engineering is bound to have dramatic effects on the use of HTTPS by websites around the world.
Don’t hesitate; start to require HTTPS on your site and in your own browser. You’ve got too much to lose if you don’t, and potential Page Rank to gain if you do!
So, Will Any HTTPS Work?
Yes and no. In general HTTPS is safer than HTTP, but only if it’s properly configured. As mentioned at the beginning of this post, TLS is the preferred encryption type. There are older protocols, like SSL 3.0, still floating around the Internet for legacy compatibility, but like many legacy technologies, it can be exploited. In September, vulnerability CVE-2014-3566 or POODLE, was announced and had sys admins everywhere scrambling to reconfigure their web servers and load balancers.
Unfortunately proper configuration isn’t always enough. Earlier this year a massive vulnerability was discovered in OpenSSL, the exploit was titled Heartbleed. Thankfully a patch was made available very quickly, but innumerable systems and private keys were compromised in the time it many admins to receive the notification and patch their servers.
A simple explanation of Heartbleed from XKCD.com
While these issues with SSL may appear to mitigate the motivation for ditching HTTP, they have both been patched and serve as great examples of how quickly the open source community responds to and creates patches for known vulnerabilities.
Now What?
Take a little time and configure your websites to enforce HTTPS. It doesn’t take very long, and there are plenty of instructions available for all common web servers. Once done, continue streaming cat videos with peace of mind.
