|
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+---
|
|
|
2
|
+date: 2016-06-17
|
|
|
3
|
+strapline: It's time to stop with the excuses
|
|
|
4
|
+thumbnail: /res/images/https/https-everywhere.thumb.jpg
|
|
|
5
|
+title: Why you should be using HTTPS
|
|
|
6
|
+url: /2016/06/17/why-you-should-be-using-https/
|
|
|
7
|
+---
|
|
|
8
|
+
|
|
|
9
|
+<div class="image right">
|
|
|
10
|
+ <img src="/res/images/https/https-everywhere.jpg" alt="EFF HTTPS Everywhere logo">
|
|
|
11
|
+</div>
|
|
|
12
|
+
|
|
|
13
|
+One of my favourite hobbyhorses recently has been the use of HTTPS, or lack thereof. HTTPS is the
|
|
|
14
|
+thing that makes the little padlock appear in your browser, and has existed for over 20 years.
|
|
|
15
|
+In the past, that little padlock was the exclusive preserve of banks and other 'high security'
|
|
|
16
|
+establishments; over time its use has gradually expanded to most (but not all) websites
|
|
|
17
|
+that handle user information, and the time is now right for it to become ubiquitous.
|
|
|
18
|
+
|
|
|
19
|
+<!--more-->
|
|
|
20
|
+
|
|
|
21
|
+### Why use HTTPS?
|
|
|
22
|
+
|
|
|
23
|
+There are numerous advantages to using HTTPS, both for the users of a website and for the
|
|
|
24
|
+operator:
|
|
|
25
|
+
|
|
|
26
|
+#### Privacy
|
|
|
27
|
+
|
|
|
28
|
+The most obvious advantage is that HTTPS gives your users additional privacy. An insecure (HTTP)
|
|
|
29
|
+request can potentially be read by anyone on the same network, or the network operators, or anyone
|
|
|
30
|
+who happens to operate a network along the path between the user and the server.
|
|
|
31
|
+
|
|
|
32
|
+Users on shared WiFi networks (such as those in coffee shops, hotels, or offices) are particularly
|
|
|
33
|
+vulnerable to passive sniffing by anyone else on that network. If the network is open (as is
|
|
|
34
|
+frequently the case) then anyone in radio range can see exactly what the user is up to.
|
|
|
35
|
+
|
|
|
36
|
+#### Integrity
|
|
|
37
|
+
|
|
|
38
|
+HTTPS also helps to maintain the integrity of your site. With a plain HTTP request, there's nothing
|
|
|
39
|
+to stop anyone in between the server and the user from modifying the content of the request or the
|
|
|
40
|
+response. This is a frequent tactic used by annoying WiFi gateways (such as the ones [you'd find in
|
|
|
41
|
+a hotel](http://justinsomnia.org/2012/04/hotel-wifi-javascript-injection/)), dubious ISPs who want
|
|
|
42
|
+to serve you extra adverts, or just plain old nefarious attackers.
|
|
|
43
|
+
|
|
|
44
|
+If you're trying to convey some kind of information to users (and if you aren't, why exactly are
|
|
|
45
|
+you running a website again?) it seems beneficial to both you and them if the information arrives
|
|
|
46
|
+as you intended, rather than in a modified form due to someone or something tampering with it.
|
|
|
47
|
+
|
|
|
48
|
+#### Security
|
|
|
49
|
+
|
|
|
50
|
+If your website has any kind of authentication, or session identifiers, it becomes extremely
|
|
|
51
|
+vulnerable to an attacker monitoring the traffic and stealing the credentials. This was
|
|
|
52
|
+starkly demonstrated in 2010 when [Firesheep](https://en.wikipedia.org/wiki/Firesheep) was
|
|
|
53
|
+released. This tool allowed anyone to quickly and automatically hijack social media accounts of
|
|
|
54
|
+anyone on the same network who was using HTTP to access them.
|
|
|
55
|
+
|
|
|
56
|
+Even if your login pages are served over HTTPS, if you send a single session ID cookie over HTTP
|
|
|
57
|
+(such as a page you decided wasn't particularly 'important') then an attacker can probably spoof
|
|
|
58
|
+the user's session and gain full access to their account. Again, in the case of open WiFi networks
|
|
|
59
|
+that could be anyone in radio range.
|
|
|
60
|
+
|
|
|
61
|
+#### Search engine rankings
|
|
|
62
|
+
|
|
|
63
|
+Some search engines use HTTPS as a signal in their ranking algorithms. [Google announced in
|
|
|
64
|
+2004](https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html) that it was using
|
|
|
65
|
+the presence of HTTPS as a small positive signal, but that it may strengthen that signal over time
|
|
|
66
|
+as more and more websites switch to using a secure transport. It's not unthinkable that at some
|
|
|
67
|
+point in the future there will be HTTPS-only search engines.
|
|
|
68
|
+
|
|
|
69
|
+### But... But... But...
|
|
|
70
|
+
|
|
|
71
|
+There are lots of excuses for not implementing HTTPS. Most of them are either misguided or outdated.
|
|
|
72
|
+
|
|
|
73
|
+#### It's too expensive and/or complicated
|
|
|
74
|
+
|
|
|
75
|
+In the past, getting HTTPS certificates was a pain. A number of free suppliers have existed for
|
|
|
76
|
+a while but the process for getting their certificates wasn't particularly straight forward, and
|
|
|
77
|
+many imposed arbitrary restrictions on the certificate parameters. Even once you had the
|
|
|
78
|
+certificate, you had to fiddle about with your HTTP server configuration to make it work, remember
|
|
|
79
|
+to manually get a new certificate when the old one expired, and lots of other annoying busywork.
|
|
|
80
|
+
|
|
|
81
|
+With the arrival of [Let's Encrypt](https://letsencrypt.org/), all that changed. You can retrieve
|
|
|
82
|
+and deploy a free HTTPS certificate with two or three commands. Renewal can be handled completely
|
|
|
83
|
+automatically with a single command executed by cron.
|
|
|
84
|
+
|
|
|
85
|
+#### There's no point; nothing on my site is sensitive
|
|
|
86
|
+
|
|
|
87
|
+You might not think your content warrants privacy, but can you speak for everyone who accesses it?
|
|
|
88
|
+Even content that seems mundane to you — such as travel advice, or technical writing — could be
|
|
|
89
|
+used to build up a profile of a user. If an attacker is monitoring traffic in a coffee shop and
|
|
|
90
|
+sees a user looking at travel advice and weather forecasts for a foreign country, he could use that
|
|
|
91
|
+information to plan a burglary knowing that the user will be away. Similarly, some content which
|
|
|
92
|
+is perfectly mundane to you may actually be very sensitive in other countries with repressive
|
|
|
93
|
+governments. HTTPS makes it much harder for these people to snoop on traffic.
|
|
|
94
|
+
|
|
|
95
|
+From another angle, if you're offering any kind of information, instructions, or especially file
|
|
|
96
|
+downloads, there's a severe risk to users if the content is modified on its way to them. An evil
|
|
|
97
|
+sysadmin could rewrite your travel advice to suggest visiting the local drug dealer's hangout, or
|
|
|
98
|
+replace your download with a malware-infested version.
|
|
|
99
|
+
|
|
|
100
|
+#### HTTPS is slower, uses more resources, etc
|
|
|
101
|
+
|
|
|
102
|
+Back in 1995 this might have been a valid argument. Enabling HTTPS on a modern server will make
|
|
|
103
|
+an almost negligible difference to performance. If you also enable HTTP/2 (which most
|
|
|
104
|
+implementations only support over HTTPS), it's likely to actually use fewer resources, and result
|
|
|
105
|
+in a faster, smoother experience for your users. HTTP/2 was designed to work with HTTPS, and
|
|
|
106
|
+designed with modern requirements and networking techniques in mind.
|
|
|
107
|
+
|
|
|
108
|
+CloudFlare have an [excellent demonstration](https://www.cloudflare.com/http2/) of the benefits of
|
|
|
109
|
+HTTP/2, and it can show speed improvements of 2-3x in a typical environment. On top of being faster,
|
|
|
110
|
+HTTP/2 uses fewer connections which results in less resource overhead on both the server and the
|
|
|
111
|
+client.
|
|
|
112
|
+
|
|
|
113
|
+### So what are you waiting for?
|
|
|
114
|
+
|
|
|
115
|
+If you run a website and aren't using HTTPS, [give it a try](https://certbot.eff.org/).
|
