HTTPS is essential layer of encryption for protecting web sessions and preventing man-in-the-middle, phishing and malware attacks. Yet many businesses still don’t see the value of upgrading from HTTP to HTTPS.
HTTPS is not exactly a new technology; it has been around for decades as a vital way of securing communications on websites.
Indeed, the original HTTPS protocol was released in 1995. Dubbed Secure Socket Layer (SSL), it enabled companies to handle credit card transactions online by protecting payment details and helping to prove that the merchants you visited were who they said they were. By doing this, you essentially knew that the site was trustworthy and that your money/transaction was safe.
Secure Socket Layer creates a secure, encrypted connection between the web server and the browser, as without this (under an ordinary HTTP connection), any data passed is insecure. The potential hazards of HTTP are that it potentially opens up the possibility of plain-text data being intercepted, stolen or even manipulated in a MiTM attack. For example, it could lead to phishing and malware attacks as well as data being ‘faked’ or modified without the user’s knowledge.
If this sounds like HTTPS is a no-brainer, the reality is not quite so simple. Its progress has partly been stalled by the fact it’s taken years for SSL’s successor, the Transport Layer Security (TLS) layer, to be widely used outside of credit card payments. And more broadly, HTTPS has been hit by a lack of understanding and businesses seeing little value in upgrading their systems.
Take UK bank NatWest as a good example; when researcher Troy Hunt complained last month that its customer-facing website was not HTTPS secure, NatWest’s social team response was simply to say ‘we’re sorry you feel this way’, a noble but British way of saying ‘we don’t really agree with you’.
“You’re missing the point: when people want to logon they go to your homepage,” said Troy Hunt at the time. “The homepage is insecure so you can’t trust anything on it. The link to the login page is on it. You can’t trust the link to the login page.”
This is not anything out of the ordinary, unfortunately. For example, this writer knows of one UK hospital which fails to provide HTTPs for open Wi-Fi connections for visitors and patients, presumably on the mistaken belief that users are not at risk.
More recently, the UK’s governing party – the Conservatives – had their own HTTPS nightmare, allowing their SSL certificate (which is required for HTTPS) to expire. On the reshuffling of the cabinet in January, visitors to the Conservative’s website were greeted with warnings including: “Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).”
So why is this case? Why is HTTPS taking so much time to take-off?
Well, there are a few arguments here. First and foremost, encryption, as painfully indicated by Amber Rudd and other high-profile politicians, is often poorly understood owing to its complexity.
After all, encryption protocols are built on sophisticated mathematics, and there are numerous layers to get your head around (don’t expect that to get any clearer with quantum encryption nearing the horizon). This complexity also baffles boardrooms across the globe, and that’s an issue when good security is reliant on business decisions like budgets, reporting lines and IT buying cycles.
From an IT standpoint, there is also a question over where and when you use HTTPS. In particular, there has long been the concern that a need to ‘encrypt everything’ could result in a slower, less efficient organisation – and in particular slower website response times (not ideal for any sales-led organisation).
Fortunately though, change is coming top down and bottom up.
Over the years big sites like Facebook, Google, Wikipedia and the New York Timeshave switched to HTTPS. Wikipedia, fascinatingly, even found fewer instances of government interference and censorship after it moved to HTTPS back in 2011, according to research from the Harvard Center for Internet and Society.
Google even announced inlate 2015 that its search engine would favour sites that use HTTPS over those that don't – a massive announcement for any organisation that relies on SEO and SEM for direct and referral traffic – and soon had Chrome flagging sites not HTTPS secured.
HTTPS is also being driven ground-up in the not-for-profit and commercial tech communities. Efforts like Let’s Encrypt(a free certificate authority) and HTTPS Everywhere (a HTTPS browser extension) are empowering consumers and businesses alike while web developers, designers and CMS creators are increasingly bundling in HTTPS as part of their offerings. Take DIY website builder Wix, for example, where you simply click one button to make your site HTTPS ready.
Of course, HTTPS is not a silver bullet that will stop all web attacks; it won’t hide the site you’re visiting (though it does make it harder for ISPs, governments and businesses to view what is being read or posted on the web), and the infamous 2014 Heartbleed bug represented a major flaw in the software that makes HTTPS work.
HTTPS does though ensure that when you visit a site, you’re seeing a genuine site as the authors intended and that your web session is safe. It is a must if you want to keep your web sessions – and your customers – safe and secure.