https

Putting the S into HTTPS – Updated Jan. 2017

Update January 2017

Great news: Measurements by Mozilla show: > 50 % of the page loads are HTTPS \o/

Original Post

Without encryption you could not do online shopping, online banking or even downloads and updates over the internet without running an extreme risk.

Did you know that you are already using encryption in your browser without noticing it? The small lock icon in the address bar does hint that encryption is currently turned on. Many sites (especially shops and banks) support it. Encryption does not generate disadvantages for you, but many advantages.

By encrypting the communication between your browser and the server you gain three important benefits:

Authentication

The server (the banking page, for example) “shows its passport” to your browser which then verifies it. You will only ever notice the process in case the verification fails. This happens mostly when the site owner forgets to refresh the certificate (they must be refreshed every few weeks or years). It’s highly likely that you already saw one of those notifications by the browser, rejecting a certificate as invalid. A short time later the site owner should have gotten a new certificate to fix it. Without certificating your transaction partner, there is no way of doing secure online banking or shopping.

Secrecy

Secrecy prevents others from reading the data packets running between your browser and the server. That includes banking credentials like credit card numbers, your passwords, and usernames …

Without any doubt you do not want anyone to read those data. Without secrecy there is no way of shopping online securely.

Integrity

There are tools to modify network-packets on-the-fly. They are power tools for administrators or scientific tools and have legit application areas. But with the same tools an attacker connected to the same network as you, can modify the data you send. This is something that is very simple if you are in the same network segment (connected to the same switch or Wifi Access point) and also possible by manipulating the traffic (DNS changer attacks or BGP attacks) on the whole network.

Without integrity there is no way of shopping online securely.

https: A panacea?

Encryption (like the httpS encryption) offers all those features. Banning encryption would break the internet as a trustworthy environment and as a marketplace.

To be able to talk to the server in an encrypted way, the server must support that. This requires getting a certificate, changing a configuration file and testing the whole page. The effort takes something between minutes and weeks, depending on the complexity of the page. The server administrator and the web designers normally should handle the process. Shops and banks should have been doing said switch some years ago.

But to establish an encrypted channel, there must be an agreement between the server and the browser. This can happen in three ways:

  • The server administrator sets up a 302-redirect and pushes all unencrypted traffic to the encrypted channel
  • Or the web-designer exchanges all the links in the page to point from http://something.de links to https://something.de
  • Or the user enters https:// in the URL bar to request encryption

All of those cases involve humans. Humans make mistakes. The EFF’s HTTPS-Everywhere (integrated into our browser) has a database of servers supporting encryption. For every page in its database it replaces the http:// with https:// – with just one single character changed, you benefit immensely.

This is true especially in networks you cannot trust (remember: easy attacks in the same network segment) and therefor is very essential for your security. Untrusted networks include: Open Wifis, Public Wifis, Hotel networks, … wait; why not just every network ?

We are not there yet

It’s sad, but HTTPS Everywhere is not perfect (yet). There are more advanced attacks that still can succeed (SSLStrip, Superfish) but the largest issue is:

Not all those servers support HTTPS

The EFF is currently writing a tool to simplify the server setup (called “Let’s encrypt“). But even with that not all servers will migrate.

We are currently investigating another technology that combines extremely well with HTTPS-everywhere. To get your data encrypted through your Wifi – no-matter-what.

TL;DR:
Encrypted networks should be a default. We(*) are getting there.

*) The engineers building the internet

This post is also available in: GermanFrenchItalian

I use science to protect people. My name is Thorsten Sick and I do research projects at Avira. My last project was the ITES project where I experimented with Sandboxes, Sensors and Virtual Machines. Currently I am one of the developers of the new Avira Browser