Skip to main content
banner image
venafi logo

HTTPS Should be Implemented Everywhere…Including on Static Websites

HTTPS Should be Implemented Everywhere…Including on Static Websites

https everywhere
July 26, 2018 | David Bisson

The web is awash with data thieves looking to steal people’s sensitive information. To protect their users against such threats, financial institutions and tech firms like Google enable HTTPS on their websites. Doing so encrypts the connection between a browser and website, thereby securing sensitive data transmissions.

It makes sense for banks and tech firms to enable HTTPS on dynamic websites that are built on top of databases containing important information. But many don’t see the point when it comes to static websites. As these types of sites don’t have data transactions between the client and server, plenty of people feel there’s no risk.

That couldn’t be further from the truth.

Haydn Johnson, information security manager at Points, provides a broad overview of why and how static sites protected by HTTP are vulnerable:

“The internet may ‘feel like’ a direct connection from your laptop to a website, and it’s easy to think that a static website is secure over HTTP only. However, the traffic has to travel through many points to get to a website. HTTP is insecure and allows anyone to manipulate traffic at any point between a laptop and connecting to a website. Think of your connection at a coffee shop over Wi-Fi being manipulated.”

Attackers can get up to a lot by manipulating traffic on a static website protected only by HTTP. Some of it can be relatively harmless. For example, someone could inject Microsoft Clippy onto a web page they want or Cornify a site.

Other abuses are much more serious. For example, web security expert Troy Hunt demonstrated in a video that a successful man-in-the-middle (MitM) attacker could inject a cryptominer into an otherwise ordinary-looking site. They could also manipulate the site’s unencrypted traffic to hide iframes designed to launch cross-site request forgery (CSRF) attacks against certain routers or conduct DNS spoofing that resolves to malicious websites.

In perhaps the most serious type of attack discussed by Hunt, nefarious individuals can use the Browser Exploitation Framework (BeEF) to hook into browsers and collect information about their activity. Once a browser is hooked, bad actors can abuse the unencrypted traffic to remotely send a fake Adobe Flash update that installs malware onto a user’s computer when clicked. They can also send a Google phishing page that tricks users into entering the Google credentials, which BeEF is capable of recording.

None of the above abuses are possible on a site protected by HTTPS. If there’s any problem, web browsers like Chrome and Firefox display a message that warns visitors that they couldn’t verify the site’s TLS certificate.

Such a stark contrast makes protecting static websites with HTTPS a no-brainer. Justin Sherman, student at Duke University double-majoring in computer science and political science, agrees.

“There’s no question that organizations should be using HTTPS over HTTP. Encryption is like multifactor authentication—it has enormous security benefits at little cost. These are exactly the kinds of protocols we should leverage to disrupt the fundamental advantage held by attackers. Not only does HTTPS protect the privacy and security of the end user, but it also means that users can place greater trust in a website’s safety and authenticity. It’s a win-win situation, which is why everyone—not just banks or e-commerce websites—should use HTTPS on their websites.”

Even still, there’s some resistance. Hunt noted in a comment to a blog post that there are some out there who think it’s too hard or expensive to enable HTTPS. That’s not true.

Kim Crawley, a freelance information security writer, explained that HTTPS can actually be quite easy to enable:

“The only significant benefit of delivering webpages over plaintext HTTP is that the webserver administrator doesn't need to acquire an SSL certificate. Self-signed certificates are free, but pointless. They're like a stranger saying, "I never lie, honest!" Getting a proper commercial certificate can cost over a thousand dollars and require documentation about your entity. But Cloudflare offers inexpensive and easy SSL certificate setup, and Let's Encrypt can get you a certificate for free. All webpages and web apps should be delivered over HTTPS. It's an added level of protection for you and your users, and it assures your users that you care about security.”

Domain owners of a static website should purchase a TLS certificate in order to enable HTTPS. Once they’ve done that, they need to take proper safeguards to defend their certificate against bad actors who could misuse the certificate. An important part of this process involves investing in a solution that allows organizations to continuously monitor their digital certificates for signs of abuse.

Gain complete visibility of your organization’s digital certificates.

Related posts

Like this blog? We think you will love this.
graphic image of an electrically lit tunnel, apparent from the inside but invisible from the outside
Featured Blog

The Fight over DNS over HTTPS

DoH, Browsers and ISPs

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat