DevelopSec

http

by Leave a Comment

The Hidden Reason for Switching to HTTPS

If you run a website, you have probably debated on whether or not you need to make the switch to HTTPS instead of using HTTP. For those that still don’t know, HTTPS is the encrypted version of HTTP. This is typically seen on banking sites, touted to protect your sensitive information when transmitted between you (your browser) and the application.

I wrote on this topic about a year ago in the post: Is HTTP being left behind for HTTPS? Back then there was a big push for making the switch and since we have seen even government mandates for government operated sites to make the switch to HTTPS.

There are typically two reasons you will hear someone recommend using HTTPS:

  • SEO (search engine optimization) – To learn more about these benefits, check out this great article Should you switch your site to HTTPS? Here’s Why you should or shouldn’t by Neil Patel. Neil does a great job of explaining HTTPS and the pros and cons.
  • Protecting sensitive information – We all should know by now that we need to protect sensitive information as it is transmitted to the application. So if your application transmits any sensitive information (Passwords, Social Security Number, Credit Card Info, Account information, etc) it is a must to use SSL.

But Wait…What about…

There is another big reason that HTTPS is important, even if you do not have sensitive information on your site. Let’s step into our favorite scenario of using your computer in the local coffee shop. You connect to the free wifi and start surfing to your favorite sites. You feel comfortable logging into your bank account because it uses HTTPS and you see the green lock in your browser (although maybe you shouldn’t feel so comfortable). Ideally, that session with your bank is protected from the guy sitting one table over trying to intercept the traffic.

Then you point your browser to a local news site to check out the latest happenings. That site is over HTTP and is not protected while traversing the wifi network. What happens when the attacker is able to intercept that news traffic and he changes the response, that you expect to contain today’s news, to contain malicious content. This would be no different than you clicking on a malicious site to begin with. Except here, you feel safe on that familiar news site.

This scenario shows how your site, the one running without HTTPS, could be used as a launching point to attack a user. While it didn’t effect your actual site, or your servers, it will lead to a break in trust from your visitors. If something happens while on your site, it doesn’t matter how it happened, the finger is pointing straight at you.

Conclusion

So while we put a lot of focus on sensitive information or SEO, there are other very important reasons why a site owner would want to make the switch to HTTPS. Gone are the days when performance is an excuse. Heck, with the Let’s Encrypt project, maybe gone are the days of the cost of purchasing a certificate to enable HTTPS. Sure there may be reasons, even some valid ones, why you don’t need to make the switch. Don’t just look at the constraints. Take the time to really understand your situation, how the change effects you, and make rational decisions. Don’t do it because some site said too. Do it because you understand the situation and know it is right for your situation.

by

Is HTTP being left behind for HTTPS?

A few years ago, a FireFox plugin was created called FireSheep.  This tool was designed to sniff network traffic looking for common websites that were being visited over HTTP.  HTTP sends the traffic between your system and the server in clear text.  If it found a request/response of an authenticated user, it would capture the session cookie and allow the user of FireSheep to hijack the current session.  While the site most likely performed the initial authentication with the username and password over an encrypted channel, such as HTTPS, it then degraded to HTTP for the rest of the site visits.  The premise was that the credentials were protected, but the flaw in that approach is that the session cookie used to represent an authenticated user also needs to be protected.  In this case, it was not.

It is starting to become more popular for sites to allow support for HTTPS (the encrypted transport channel) all of the time.  Many sites like Facebook, Google, LinkedIn, Twitter, etc. started making this available as an option after the release of FireSheep.  If your site uses any type of authentication, it is recommended to only use an encrypted channel (HTTPS) for communication. 

What if your site doesn’t use authentication?  What if it is just your company’s marketing website?   What if your site just provides information to people but there are no passwords, sensitive information, or sessions to protect?   Should you still switch to HTTPS?

This is a debate that is starting to grow in the information security world.  With concerns of government snooping, or other entities snooping on traffic, many suggest dropping HTTP and only supporting HTTPS.  There is also the concern that your site, if using HTTP, could allow an attacker to intercept and modify your responses to directly attack your system.  While not attacks, we have seen ISPs deliver ads or other content by inserting it into the responses.   If an attacker can do this, it is possible for an attack payload to be sent and your system comprimised.  If you are on a corporate network this is the first step at attacking the internal network from teh outside.  

On the flip side, we don’t see these types of attacks very widespread and many people are not worried about any type of snooping.  They just want to get their information.   So does it make sense to just go ahead and drop HTTP and go for the gusto?   Pintrest just joined the ranks of going to all HTTPS (https://threatpost.com/https-opens-door-to-paid-pinterest-bug-bounty/111687) as an improvement to their security.  Does it make sense for you?   

There are some things to think about with implementation of HTTPS.   Of course, there is a monetary piece to this.   You have to buy a certificate for your domain so that HTTPS will work.  Depending on the site you go to, these certs vary in price.  The other big concern I often hear is about performance, that HTTPS will slow the site down and users will be unhappy.  Recent advances in SSL and TLS have pretty much negated this issue.  If a site like Facebook can implement it, there is a good chance you can as well.  If you are serving up external content there may be some hurdles as browsers may get upset when trying to display mixed content: that is content from both HTTP and HTTPS.  

I am not sure if it is going mainstream for all sites yet, or just the sites that have the sensitive transactions.  There is a chance that it could make the switch.  Another aspect is search rankings.   Google has stated that it will rank HTTPS sites higher (http://www.zdnet.com/article/google-confirms-its-giving-https-sites-higher-search-rankings/).  Is this the push that is needed?   Is it enough to push everyone to HTTPS?