A few years ago, a FireFox plugin was created called FireSheep. This tool was designed to sniff network traffic looking for common websites that were being visited over HTTP. HTTP sends the traffic between your system and the server in clear text. If it found a request/response of an authenticated user, it would capture the session cookie and allow the user of FireSheep to hijack the current session. While the site most likely performed the initial authentication with the username and password over an encrypted channel, such as HTTPS, it then degraded to HTTP for the rest of the site visits. The premise was that the credentials were protected, but the flaw in that approach is that the session cookie used to represent an authenticated user also needs to be protected. In this case, it was not.
It is starting to become more popular for sites to allow support for HTTPS (the encrypted transport channel) all of the time. Many sites like Facebook, Google, LinkedIn, Twitter, etc. started making this available as an option after the release of FireSheep. If your site uses any type of authentication, it is recommended to only use an encrypted channel (HTTPS) for communication.
What if your site doesn’t use authentication? What if it is just your company’s marketing website? What if your site just provides information to people but there are no passwords, sensitive information, or sessions to protect? Should you still switch to HTTPS?
This is a debate that is starting to grow in the information security world. With concerns of government snooping, or other entities snooping on traffic, many suggest dropping HTTP and only supporting HTTPS. There is also the concern that your site, if using HTTP, could allow an attacker to intercept and modify your responses to directly attack your system. While not attacks, we have seen ISPs deliver ads or other content by inserting it into the responses. If an attacker can do this, it is possible for an attack payload to be sent and your system comprimised. If you are on a corporate network this is the first step at attacking the internal network from teh outside.
On the flip side, we don’t see these types of attacks very widespread and many people are not worried about any type of snooping. They just want to get their information. So does it make sense to just go ahead and drop HTTP and go for the gusto? Pintrest just joined the ranks of going to all HTTPS (https://threatpost.com/https-opens-door-to-paid-pinterest-bug-bounty/111687) as an improvement to their security. Does it make sense for you?
There are some things to think about with implementation of HTTPS. Of course, there is a monetary piece to this. You have to buy a certificate for your domain so that HTTPS will work. Depending on the site you go to, these certs vary in price. The other big concern I often hear is about performance, that HTTPS will slow the site down and users will be unhappy. Recent advances in SSL and TLS have pretty much negated this issue. If a site like Facebook can implement it, there is a good chance you can as well. If you are serving up external content there may be some hurdles as browsers may get upset when trying to display mixed content: that is content from both HTTP and HTTPS.
I am not sure if it is going mainstream for all sites yet, or just the sites that have the sensitive transactions. There is a chance that it could make the switch. Another aspect is search rankings. Google has stated that it will rank HTTPS sites higher (http://www.zdnet.com/article/google-confirms-its-giving-https-sites-higher-search-rankings/). Is this the push that is needed? Is it enough to push everyone to HTTPS?