[BreachExchange] It's time for websites to turn on HTTPS encryption: the benefits are worth the effort

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 15 20:44:25 EDT 2017


http://www.pcworld.com/article/3180689/security/its-time-to-turn-on-https-the-benefits-are-well-worth-the-effort.html

After Edward Snowden revealed that online communications were being
collected en masse by some of the world’s most powerful intelligence
agencies, security experts called for encryption of the entire web. Four
years later, it looks like we’ve passed the tipping point.

The number of websites supporting HTTPS—HTTP over encrypted SSL/TLS
connections—has skyrocketed over the past year. There are many benefits to
turning on encryption, so if your website not yet support the technology
it’s time to make the move.

Recent telemetry data from Google Chrome
<https://www.google.com/transparencyreport/https/metrics/?hl=en> and Mozilla
Firefox <https://twitter.com/letsencrypt/status/786977436109934592> shows
that over 50 percent of web traffic is now encrypted, both on computers and
mobile devices. Most of that traffic goes to a few large websites, but even
so, it’s a jump of over 10 percentage points since a year ago.
[ Further reading: How the new age of antivirus software will protect your
PC ]
<http://www.pcworld.com/article/3120445/security/how-the-new-age-of-antivirus-softwate-will-protect-your-pc.html>

Meanwhile, a February survey of the world’s top 1 million most visited
websites <https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/>
revealed
that 20 percent of them supported HTTPS, compared to around 14 percent back
in August <https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/>.
That’s an impressive growth rate of over 40 percent in half a year.

There are a number of reasons for the accelerated adoption of HTTPS. Some
of the past deployment hurdles are easier to overcome, the costs have come
down and there are many incentives to do it now.
*Performance impact*

One of the longstanding concerns about HTTPS is its perceived negative
impact on server resources and page load times. After all, encryption
usually comes with a performance penalty so why would HTTPS be any
different?

As it turns out, thanks to improvements to both server and client software
over the years, the impact of TLS (Transport Layer Security) encryption is
negligible at best.

After Google turned on HTTPS for Gmail in 2010, the company observed
<https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html> only an
additional 1 percent CPU load on its servers, under 10KB of extra memory
per connection and less than 2 percent network overhead. The deployment
didn’t require any additional machines or special hardware.

Not only is the impact minor on the backend, but browsing is actually faster
<http://www.httpvshttps.com/> for users when HTTPS is turned on. The reason
is that modern browsers support HTTP/2, a major revision of the HTTP
protocol that brings many performance improvements.

Even though encryption is not a requirement in the official HTTP/2
specification, browser makers have made it mandatory in their
implementations. The bottom line is that if you want your users to benefit
from the major speed boost in HTTP/2, you need to deploy HTTPS on your
website.
*It’s always about money*

The cost of obtaining and renewing the digital certificates needed to
deploy HTTPS has been a concern in the past, and rightfully so. Many small
businesses and non-commercial entities have likely stayed away from HTTPS
for this very reason and even larger companies with many websites and
domains in their administration might have been worried about the financial
impact.

Fortunately, that should no longer be an issue, at least for websites that
don’t require extended validation (EV) certificates. The nonprofit Let’s
Encrypt certificate authority launched last year provides domain validation
(DV) certificates for free through a process that’s completely automated
and easy to use.

>From a cryptography and security standpoint there is no difference between
DV and EV certificates. The only difference is that the latter requires a
stricter verification of the organization requesting the certificate and
allows the certificate owner’s name to appear in the browser address bar
next to the HTTPS visual indicator.

In addition to Let’s Encrypt, some content delivery networks and cloud
services providers, including CloudFlare and Amazon, offer free TLS
certificates to their customers. Websites hosted on the WordPress.com
platform also get HTTPS by default and free certificates even if they use
custom domains.
*There’s nothing worse than bad implementation*

Deploying HTTPS used to be fraught with peril. Due to poor documentation,
continued support for weak algorithms in crypto libraries and new attacks
constantly being discovered, there used to be a high chance for server
administrators to end up with vulnerable HTTPS deployments. And bad HTTPS
is worse than no HTTPS, because it gives a false sense of security to users.

Some of those problems are being resolved. Now there are websites like Qualys
SSL Labs <https://www.ssllabs.com/> that provide free documentation on TLS
best practices, as well as testing tools <https://www.ssllabs.com/ssltest/> to
discover misconfigurations and weaknesses in existing deployments.
Meanwhile, other websites provide resources on TLS performance optimizations
<https://istlsfastyet.com/>.

*Mixed content can be a source of headaches*

Pulling in external resources like images, videos and JavaScript code over
unencrypted connections into an HTTPS website will trigger security alerts
in users’ browsers. And because many websites depend on external content
for their functionality—commenting systems, web analytics, advertising
etc. —the
mixed content issue has kept many of them from migrating to HTTPS.

The good news is that a large number of third-party services, including ad
networks, have added HTTPS support in recent years. The proof that this is
not as bad a problem as it used to be is that many online media websites
<https://securethe.news/> have already switched to HTTPS, even though such
websites are highly dependent on advertising revenue.

Webmasters can use the Content Security Policy (CSP) header to discover
insecure resources on their webpages and either rewrite their origin on the
fly or block them. The HTTP Strict Transport Security (HSTS) can also be
used to avoid mixed content issues, as explained by security researcher
Scott Helme in a blog post
<https://scotthelme.co.uk/migrating-from-http-to-https-ease-the-pain-with-csp-and-hsts/>
.

Other possibilities include using a service like CloudFlare, which acts as
front proxy between users and the web server that actually hosts the
website. CloudFlare encrypts the web traffic between end users and its
proxy server, even if the connection between the proxy and the hosting web
servers remains unencrypted. This secures only half of the connection, but
it’s still better than nothing and will prevent traffic interception and
manipulation close to the user.
*HTTPS adds security and trust*

One of the major benefits of HTTPS is that it protects users against
man-in-the-middle (MitM) attacks that can be launched from compromised or
insecure networks.

Hackers use such techniques to steal sensitive information from or to
inject malicious content into web traffic. MitM attacks can also be done
higher up in the internet infrastructure, for example at the country level—the
great firewall of China
<http://www.pcworld.com/article/2908912/chinas-great-cannon-ddos-tool-enforces-internet-censorship.html>—or
even at the continental level, as with the NSA’s surveillance activities.

Furthermore, some Wi-Fi hotspot operators and even some ISPs use MitM
techniques to inject ads or various messages into users’ unencrypted web
traffic. HTTPS can prevent this—even if this content is not malicious in
nature, users might associate it with the website they’re visiting, which
could hurt the website’s reputation.
*Not having HTTPS comes with penalties*

Google started to use HTTPS as a search ranking signal
<https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html> in
2014, meaning that websites available over HTTPS get an advantage in search
results over those that don’t encrypt their connections. While the impact
of this ranking signal is currently small, Google plans to strengthen it
over time to encourage HTTPS adoption.

Browser makers are also pushing for HTTPS quite aggressively. The latest
versions of Chrome and Firefox display warnings if users attempt to enter
passwords or credit card details into forms loaded on non-HTTPS pages.

In Chrome, websites that don’t use HTTPS are prevented from accessing
features like geolocation, device motion and orientation or the application
cache. The Chrome developers plan to go even further and eventually display
a Not Secure indicator
<https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn> in
the address bar for all non-encrypted websites.

*Look to the future*

“As a community I feel we’ve done a lot of good in this area, explaining
why everybody should use HTTPS,” said Ivan Ristic, former head of the
Qualys SSL Labs and author of the *Bulletproof SSL and TLS *book.
“Especially browsers, with their indicators and constant improvements, are
compelling companies to switch.”

According to Ristic, some adoption hurdles remain, such as having to deal
with legacy systems or third-party services that don’t support HTTPS yet.
However, he feels that there are now more incentives, as well as pressure
from the general public to support encryption, making the effort worth it.

“I feel that, as more sites migrate, it’s getting easier,” he said.

The upcoming TLS 1.3 specification, which while still a draft has already
been implemented and turned on by default in the latest versions of Chrome
and Firefox, will make HTTPS deployment even easier. This new version of
the protocol removes support for old and insecure cryptographic algorithms,
making it much harder to end up with vulnerable configurations. It also
brings significant speed improvements due to a simplified handshake
mechanism.

It’s worth keeping in mind, though, that since HTTPS is now easy to deploy,
it can also be easily abused, so it’s also important to educate users about
what the technology offers and what it doesn’t.

People tend to have a greater degree of confidence in a website when they
see the green padlock that indicates the presence of HTTPS in the browser.
Since certificates are now easily obtainable, a lot of attackers are taking
advantage of this misplaced trust and are setting up malicious HTTPS
websites.

“When it comes to the issue of trust, one of the things we have to be clear
about is that the presence of a padlock and HTTPS don’t really mean
anything about the reliability of a website and doesn’t even say anything
about who is running it,” web security expert and trainer Troy Hunt said.

Organizations will have to deal with the abuse of HTTPS too and they’ll
likely start inspecting such traffic on their local networks, if they
aren’t already, because encrypted connections could hide malware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170315/8b7be3a1/attachment.html>


More information about the BreachExchange mailing list