Checklist 55: Putting the “S” in HTTPS
HTTPS: What’s So Special About That “S”?
HTTP: the hypertext transport protocol. We know it, we love it, and we can’t live without it — it powers the web! If you’ve been paying attention, though, you’ve probably noticed things have undergone a bit of a change in recent years. Instead of plain old HTTP, we now rely upon HTTPS much more often. It’s the addition of that “s” that makes a whole world of difference.
We know that HTTPS is more secure than HTTP, but why is that? Today on the Checklist, we’re taking another look at one of those things that we all know is true, but without really knowing why it’s true — or even why we should care enough to make sure we’re connecting to sites over HTTPS! Let’s jump right into it by breaking down what’s changed.
The difference between HTTP and HTTPS
So, we know that HTTP stands for “hypertext transfer protocol,” and it’s what you see in front of the “WWW” when you type a web address into your browser. It’s a core part of every web address — like https://www.securemac.com. Without HTTP, you’re not going anywhere. What do those words mean?
HTTP is the language used by your web browser to communicate with websites. It’s how your browser requests the web server to send back a web page and all of its content. When you want to go to YouTube and watch some cute cat videos or old hip-hop music videos, it’s an HTTP request tells the servers what you’re looking for and how to serve it up. What’s inside that request isn’t important to the average user, but it’s filled with information that tells a server what you want.
So that’s what HTTP does, but when we add an S to it, it seems like it magically becomes more secure somehow. That’s the part we’re hitting today. HTTP still stands for the same thing here, but what does the S add to the equation? It simply means “secure” — so now we have the hypertext transfer protocol secure. By adding the S, we gain the security advantages of the “Secure Socket Layer”, or SSL, and a safer connection.
What is SSL?
You’ve probably known since the first time you accessed the Web to type HTTP in front of your web addresses. It’s a thing you know, but you don’t know why. Now, with HTTPS, it’s the same thing all over again. We know that you’ll gain some security benefit from using it, but it can’t be a magic bullet, right? You can’t just put an “S” on there and have everything suddenly be more secure. So, let’s go over what Secure Socket Layer means, what it is, and what it does.
SSL is all about creating a secure encrypted connection between the web server hosting the site and your web browser. Here’s an easier way to think about it. HTTP, on its own without SSL, could be thought of as sending a postcard through the mail. You’ve got your return address, who you’re sending it to, and the little note you’ve written on the back. It travels through the mail from you to your recipient, but anyone along the way who handles that postcard can look on the back and see what you’ve written.
HTTPS, on the other, would be like sending a note in one of those security envelopes that protect what’s inside from prying eyes. You’ve got the address and the return address on the outside, but without opening the envelope, generally speaking, no one else will be able to read what you sent. Only the recipient — in this case, the web server — will know what you’ve sent, such as a login request with your password, and not until it “opens” the message. The same happens when it sends page information back to you. It arrives in a secure package that your browser unpacks to display the page you wanted.
Could HTTPS and SSL eliminate the need for a VPN?
Obviously, we know that not every website uses HTTPS. We’ll take a closer look at what webmasters and users alike need to consider in that regard shortly, but first, let’s consider another question. If the way SSL works sounds a bit like the way a VPN works regarding hiding information traveling between your computer and a website, that’s because the basic idea is similar. So, if every single site we visited adopted HTTPS, would we still need to use VPNs to protect our privacy online?
Yes and no. There will always be use cases for VPNs, especially because they can take advantage of specific, custom settings that might allow only certain trusted IP addresses or connections to work. So, from a security standpoint, there are still uses for VPNs, especially in corporate environments where data security is of paramount importance.
The ultimate goal, though — a world where everything on the web transitions over to HTTPS — would make things better and more secure for everybody. That could, in turn, reduce the need for individuals to rely on VPNs. However, we’ve still got a long way to go with that transition, and it’s important to keep all your options open for improving security. VPNs are a useful tool for many reasons, especially given the inconsistent nature of HTTPS’s adoption.
So, is all this a new development?
Why is HTTPS something we’ve only started to hear more about in the past few years? Is this a new protocol that’s come out in the past couple of years, or is it a change spurred on by the growing number of security breaches? It’s true that HTTPS is something we’ve had available for many years, but its slow rate of adoption has more to do with what it takes to implement SSL rather than a lack of understanding as to its benefits.
In fact, there are a few reasons we’ve only recently started to see a wider proliferation of HTTPS. More so in previous years but even today, there has been some overhead associated with setting up a server that can successfully use HTTPS. In the past, that might have been a hardware limitation, with machines too slow or cumbersome to process the advanced traffic; that’s hardly ever the case today.
The bigger issue for many years has been the expense involved in getting an SSL certificate. An SSL certificate is a digital document that contains encryption information unique to the site and usually with the server’s authenticity verified by a third party. Without a valid certificate, your browser cannot fully trust the security of the connection.
In the recent past, these certificates were handed out only by a handful of companies, and the process for obtaining an SSL cert was prohibitively expensive. However, the cost has been going down especially over the past couple of years. The knowledge it takes to create what is known as a “self-signed” certificate has spread as well, allowing more independent websites to set up their own HTTPS servers. It’s now much more accessible even for individuals who aren’t very tech-savvy to obtain a security certificate for their website and begin offering secure connections to their users.
The push for HTTPs continues
Major security breaches and the growing number of threats on the web have played a definite role in increasing the prevalence of secure HTTP connections. When you’re transmitting private information such as usernames, passwords, and credit card details, you don’t want that information flying across the web in plain text. You want to be sure it’s hidden from prying eyes and “man in the middle” attacks.
Even major players on the Internet have been making a push to encourage webmasters to adopt HTTPs. Recently, they made changes to their search ranking algorithm to give more weight to those that use secure connections, thus raising them higher up the results page. Incentivizing website owners to implement proper security can only be a good thing, not only because it protects users, but also because there are very few reasons not to use HTTPS these days.
In fact, many sites will now automatically redirect you to the HTTPS connection even if you don’t type it into your browser. For example, open your web browser and type in “news.com” or even just “facebook.com” and you’ll quickly see that you’re sent to the HTTPS site. The appearance of the “lock” icon in your browser bar is an easy visual indicator to use to know if your connection is encrypted.
Not everyone does this, though. Type in CNN.com, and you’ll see no lock icon appears; even if you type in “https” manually, you won’t make a secure connection. Why? It’s hard to say, but it could be due to the way the site has set up its advertising network. CNN has a valid SSL security certificate but seems to choose not to use it; perhaps their ad network relies on an insecure connection to track users more. The functionality is there, but not every webmaster chooses to use it yet.
This is something we see a lot, especially right now when the web is in a period of transition away from older, less secure practices and into the adoption of these newer, more secure technologies. Let’s look at a recent example we encountered personally during a visit to the Fedex.com site. FedEx makes it simple to create a free account on their site so you can track packages more easily and see when your deliveries will arrive, which is all fine and good — except when you finally go to log in. Our password manager caught the issue in time, sending up a warning that we were about to send password information through an insecure page. What happened? How could such a large company ask users to log in insecurely?
It turns out that Fedex.com does have a secure login page with a valid certificate, but depending on what links you click to get there, you may still land on an old, insecure login page. It’s one of those cases where the company itself probably isn’t even aware of the problem, and it’s, unfortunately, a common occurrence right now.
When you add security later on, in the process of updating older systems, often you can miss things that create these security holes. The intent behind the upgrades is obviously to route users through secure channels, but there are still edge cases when that’s not always going to happen. With perhaps a small army of web engineers working on a major corporate site, oversights like these will happen.
Why should sites be using HTTPS?
Let’s jump back to the CNN example again. When you visit a site like CNN’s, you’re not usually exchanging any personal information with their server — you’re just there reading news. So why would CNN necessarily want to use HTTPS when they’re just throwing up a page of news? When we talk about something like FedEx, it’s easy to understand why they would need to implement security. You’re entering delivery addresses; you’re plugging in credit card information; that’s all data that you want to keep as safe as possible.
The same goes for when you’re communicating with a website for your doctor’s office or a hospital; in fact, those use even stronger encryption to comply with HIPAA, but the point is the same. These are scenarios where the need is evident. What about when it’s not? Do blogs or podcast sites use HTTPS just so search engines will boost their rankings?
It’s simply a matter of using the best practices. It’s not ten years ago when your old Nokia phone (no offense to Nokia!) or your ancient web browser might not offer support for HTTPS. Everyone can access it now, so as we mentioned, there’s no good reason to avoid using HTTPS and tons of excellent reasons for its use. Hiding our communications with websites, even if it’s mundane information, is preferable to leaving it out in the open for hackers or anyone else on your network to read.
There’s another reason too, though, and that is that HTTPS can help to mitigate the risk that you’ll fall victim to those “man in the middle” attacks we mentioned. That’s when a malicious third party impersonates the website you’re trying to connect to, often by forging or faking the site’s certificate. So as a general example, you might encounter a bad guy attempting to serve you a page pretending to be CNN’s site. An HTTPS connection and checking to make sure the certificate is valid can let you know it’s really coming from the legitimate CNN server and not someone who wants to intercept your traffic from some malicious or unknown reason.
Malware tries to do this to us a lot, infecting machines and redirecting you to the bad guy’s site. It’s not likely for this to happen with a site like CNN, though it’s still worth their time to employ a secure connection. Instead, malware is more likely to target your links to banking sites.
If they haven’t set up their server correctly and can’t supply a certificate, the HTTPS connection will break. Your browser will typically even alert you to the potential danger or the invalid certificate. So, all in all, this is an essential security feature with a low barrier to entry for everyone — with how much it can help, there’s no reason to avoid using it.
What do webmasters need to keep in mind?
Let’s turn our attention away from the big corporate sites and consider a site more along the lines of what you’d find operated by the average individual. We might suppose that a friend of ours wants to add HTTPS to an old server he’s been running for his buddies for years. How hard would that be today?
Thankfully it’s not that difficult now. Obtaining a certificate is the first and most important thing to do, and even that isn’t so complicated today. There are signing authorities, like Verisign, that vet many of the most major websites and supply their certificates. You might obtain one from these companies, or you can choose to act as your own signing authority. In that case, you basically say that you guarantee the security of the server yourself. That’s why we call a “self-signed certificate.” If you’re just running a server for your friends and they trust you to operate above board, that’s usually sufficient (and costs you nothing). However, you’re not going to want to trust self-signed certificates in an e-commerce setting.
Besides the majors like Verisign, there are also other third-party signing authorities that grant certificates, sometimes for free or at a very low cost. Just about every web host out there will offer SSL certificates and HTTPS functionality as a bundled add-on for your hosting package, too, with minimal fees.
Once you’ve got the certificate, you’ll need to set up your server so it can use that certificate to accept encrypted traffic. You’ll also want to set up a redirect so that people who try to connect over plain HTTP automatically route to the secure connection. That’s pretty much all there is to it! Everything else happens automatically between their browser and your server.
As a webmaster, it’s always best to send users to the secure connection when you can, not just because search engines might give you preferential ranking, but because it adds no real strain to your resources. You promote a more secure web environment by promoting the use of HTTPS. Even if your site has been on HTTP for years and years, automatic forwarding means users will never have to remember a change in your URL.
Even site builders like HostGator, Wix, or Squarespace offer this functionality. It may be a feature you need to enable manually, or it may be available automatically, but the point remains that any of these providers have an incentive to do so — they’re often a home for small e-commerce businesses. Those customers will tend to renew for longer service periods and need to be able to show their clients their info is safe. Providing security to these types of customers is just good business sense. Best of all, even users who don’t use these sites to make money can take advantage of the best security practices.
HTTPS concerns for the average user
While the lack of a secure connection on a site like CNN isn’t the end of the world, it’s important to remember where you should be looking for that lock icon. eBay, Amazon, your bank, a doctor’s website — anywhere that you’re putting vulnerable or sensitive info should keep HTTPS in play for your safety. Besides these high-value sites, there isn’t much of a reason to be concerned that you’re reading news on an insecure site. Now, if you were a whistleblower hoping to share information on something shady your company was doing, you would naturally want to check and make sure that an online tip form uses a secure connection.
Even the average user doesn’t have to settle for an insecure connection if you don’t want. Dropping an email to the site’s team letting them know you’d like to use a secure connection can’t hurt. Sometimes, it’s just a case of “we haven’t gotten to it yet” — security is often an afterthought for companies, after all. Running a major website is a tough balancing act and creating secure access isn’t always a top priority. When an ecommerce company fails to do that, though, it’s far more concerning. So, to summarize: if you’re someone who runs a website – get SSL for your server! It’s worth the minimal effort it takes to set up and use.
If you’re a web user – let your favorite sites know that it’s 2017 and it’s time to put an “S” on the end of that HTTP! Every web service you use should rely on secure protocols to get the job done, whether it’s on your phone, on your desktop, or inside an app.
Look at your messaging apps. In many cases, you’ll find options in your settings to use SSL connections for your email or messages. Many times, people might not even have this option enabled – though that’s an issue that’s going away as companies such as Apple set requirements for apps to use secure connections by default.
On a computer, though, you might be using older software or imported settings from a previous version, so the setting for secure connections might not be enabled. Though the chance you’re not communicating securely is low, it’s worth checking your settings. With newer software, you don’t often need to worry about your settings leaving you exposed.
Phew — that’s a lot of information packed into one tiny letter! We’ve covered a lot of information today on the Checklist, so as always, if you want to know more you can always check out our show notes for this episode and any of our past discussions online. Just check out securemac.com/checklist.
If you have a topic you’d like us to hit, a question you’d like to ask, or some kind of security use-case that you’d like to know more about, we have an email address we’d love for you to use. Just email us at checklist@securemac.com. Thanks for listening to another episode of The Checklist brought to you by Securemac. We’ll be back again next week.
