The web is awash with data thieves looking to steal people’s sensitive information. To protect their users against such threats, financial institutions and tech firms like Google enable HTTPS on their websites. Doing so encrypts the connection between a browser and website, thereby securing sensitive data transmissions.
It makes sense for banks and tech firms to enable HTTPS on dynamic websites that are built on top of databases containing important information. But many don’t see the point when it comes to static websites. As these types of sites don’t have data transactions between the client and server, plenty of people feel there’s no risk.
That couldn’t be further from the truth.
Haydn Johnson, information security manager at Points, provides a broad overview of why and how static sites protected by HTTP are vulnerable:
“The internet may ‘feel like’ a direct connection from your laptop to a website, and it’s easy to think that a static website is secure over HTTP only. However, the traffic has to travel through many points to get to a website. HTTP is insecure and allows anyone to manipulate traffic at any point between a laptop and connecting to a website. Think of your connection at a coffee shop over Wi-Fi being manipulated.”
Attackers can get up to a lot by manipulating traffic on a static website protected only by HTTP. Some of it can be relatively harmless. For example, someone could inject Microsoft Clippy onto a web page they want or Cornify a site.
Other abuses are much more serious. For example, web security expert Troy Hunt demonstrated in a video that a successful man-in-the-middle (MitM) attacker could inject a cryptominer into an otherwise ordinary-looking site. They could also manipulate the site’s unencrypted traffic to hide iframes designed to launch cross-site request forgery (CSRF) attacks against certain routers or conduct DNS spoofing that resolves to malicious websites.
In perhaps the most serious type of attack discussed by Hunt, nefarious individuals can use the Browser Exploitation Framework (BeEF) to hook into browsers and collect information about their activity. Once a browser is hooked, bad actors can abuse the unencrypted traffic to remotely send a fake Adobe Flash update that installs malware onto a user’s computer when clicked. They can also send a Google phishing page that tricks users into entering the Google credentials, which BeEF is capable of recording.
None of the above abuses are possible on a site protected by HTTPS. If there’s any problem, web browsers like Chrome and Firefox display a message that warns visitors that they couldn’t verify the site’s TLS certificate.
Such a stark contrast makes protecting static websites with HTTPS a no-brainer. Justin Sherman, student at Duke University double-majoring in computer science and political science, agrees.
“There’s no question that organizations should be using HTTPS over HTTP. Encryption is like multifactor authentication—it has enormous security benefits at little cost. These are exactly the kinds of protocols we should leverage to disrupt the fundamental advantage held by attackers. Not only does HTTPS protect the privacy and security of the end user, but it also means that users can place greater trust in a website’s safety and authenticity. It’s a win-win situation, which is why everyone—not just banks or e-commerce websites—should use HTTPS on their websites.”
Even still, there’s some resistance. Hunt noted in a comment to a blog post that there are some out there who think it’s too hard or expensive to enable HTTPS. That’s not true.
Kim Crawley, a freelance information security writer, explained that HTTPS can actually be quite easy to enable:
“The only significant benefit of delivering webpages over plaintext HTTP is that the webserver administrator doesn't need to acquire an SSL certificate. Self-signed certificates are free, but pointless. They're like a stranger saying, "I never lie, honest!" Getting a proper commercial certificate can cost over a thousand dollars and require documentation about your entity. But Cloudflare offers inexpensive and easy SSL certificate setup, and Let's Encrypt can get you a certificate for free. All webpages and web apps should be delivered over HTTPS. It's an added level of protection for you and your users, and it assures your users that you care about security.”
Domain owners of a static website should purchase a TLS certificate in order to enable HTTPS. Once they’ve done that, they need to take proper safeguards to defend their certificate against bad actors who could misuse the certificate. An important part of this process involves investing in a solution that allows organizations to continuously monitor their digital certificates for signs of abuse.