31

I've noticed that there are a good number of sites (Google, Twitter, Wikipedia) that are serving up every page over HTTPS.

I can understand given that everyone is concerned over privacy now, but has there been some sort of best practice/impetus for this change?

Perhaps it's one of those things that it's just easier to use, because you get certain guarantees out-of-the-box?

It's been explained to me that it could be because of privacy concerns that were emphasized when the Firesheep Firefox plugin was released at Toorcon 12, but that was two years ago, and I seem to recall major sites making the switch to HTTPS-exclusive more recently.

casperOne
  • 415
  • 3
  • 10
  • 5
    Even Wikipedia is going that way - http://meta.stackexchange.com/questions/148273/preview-new-https-wikipedia-links-in-chat –  Sep 25 '12 at 12:23
  • I'm pretty sure that Firesheep was indeed the impetus, but implementing https is non-trivial, so some sites are still getting round to acting on it. – MikeFHay Sep 25 '12 at 15:48
  • Fun fact: https://security.stackexchange.com mereley redirects to the non-SSL site – Tobias Kienzler Oct 30 '12 at 09:26

4 Answers4

24

HTTPS is the easiest solution to a large number of security problems:

  • Every form of Man In The Middle attack is completely impractical over an HTTPS connection (you'd need to either break SSL or hack into a certificate authority). This includes protecting your users while they're on public wifi.
  • If any page isn't secure, and a user clicks a "login" link (which is presumably HTTPS), an attacker could replace it with a link to an insecure version that steals passwords. The only secure way to do this is either to serve the whole site over HTTPS or make sure users pay attention to the URL bar. Only one of those two options is possible.
  • Since all of your pages are secure, you don't need to think about which pages are secure and which ones aren't (user clicks login -> redirect to HTTPS version -> user logs in -> redirect back to HTTP -> user goes to their profile -> redirect to HTTPS...).
  • Modern browsers give mixed content warnings if an HTTPS page contains insecure content (styles, scripts, images, etc.). Most browsers treat this kind of page as if it's not secure at all (showing the scary red URL box). The easiest way to make sure you never run into this problem is to just serve all of your content over HTTPS.
  • If you're HTTPS-only, you can enable HTTP Strict Transport Security to further reduce vulnerability to MITM attacks (once a user has been to your site once, their browser will always choose the HTTPS version, even if directed to a http:// URL).

Honestly, I don't know why anyone doesn't enable HTTPS. It's completely trivial and it can be free.

Brendan Long
  • 2,878
  • 1
  • 19
  • 27
  • I *thought* CPU overhead might have been an issue, but apparently not: http://stackoverflow.com/questions/548029/how-much-overhead-does-ssl-impose – Suman Sep 25 '12 at 17:39
  • 6
    @Suman Yeah, in my experience, it's completely insignificant. It's also been my experience that **developers are more expensive than servers**, so even if you needed more powerful servers, it's still worth it to save your developers time thinking about these things. There is the issue that the TLS handshake requires more round-trips than a normal TCP handshake, but this is handled with [TLS session resumption](https://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake) (which is unfortunately not always enabled by default). – Brendan Long Sep 25 '12 at 17:55
  • Unfortunately, is not not by any means "completely impractical" to hack into a CA. – SLaks Sep 30 '12 at 15:49
13

"Attacks" are bad press. With a HTTP site, an ill-intentioned attacker could alter data in transit, making his name or logo appear in lieu of the intended page. That's not critical in any way for a site which hosts only public information (e.g. Wikipedia), but it looks bad nonetheless. With HTTPS, there is some level of "visible protection": the attacker will not be able to put his signature in the genuine site; instead, he will have to mount an alternate version with a fake certificate, at which point the browser will display a warning. It is all about making such attacks "obvious" in the eye of the public at large.

Another reason, less rational but probably more common, is the following "logic" as it goes in the minds of many managers: "Security is GOOD, it protects against BAD PEOPLE and EVILDOERS and TERRORISTS. HTTPS is security, so let's go sprinkle HTTPS everywhere we can." This is flawed in may ways, but this does not prevent people from thinking that way.

And there is fashion, of course. If Google goes HTTPS-everywhere, then it would be marketingly suicidal, and possibly bad taste, not to do the same.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 3
    Even a site which hosts only public information may gain from HTTPS. Take Wikipedia. 1) Privacy: less information is leaked about what articles users are reading; the IP packets only show IP addresses, while the HTTP GET is encrypted. 2) Confidence: "you first visited this site on..." shows that the user didn't mistype the URL, and the fact that the data was signed proves it's from the expected site. – Nathan Long Sep 25 '12 at 22:01
5

In addition to privacy, it's worth noting that currently SPDY requires HTTPS to negotiate support.

While there are lots of other ways this could have been implemented while maintaining backward compatability with HTTP/1.1, I can only assume that it was causing problems for a lot of proxies. It looks like HTTP/2.0 is likely to go the same way.

HTTPS undermines the distributed caching model of HTTP which has a huge impact on performance - so for most of us, that means relying on third-party CDNs - which rather defeats the purpose of having a secure point-to-point communication in the first place.

(the only time I had a box rooted was via a vulnerability in openSSL around 10 yrs ago - so perhaps I've got a rather distorted perspective on SSL ;)

Don't get me wrong - I don't think there's a beter protocol level security solution than SSL/TLS but it's not nearly enough on its own; there are still a lot of gaps to shore up (cookies, XSS, DNS)

Martin Schröder
  • 259
  • 1
  • 2
  • 16
symcbean
  • 18,278
  • 39
  • 73
2

I agree with all of the above, but should add that the move to https was for pretty much all but Google a response to the Firesheep Plugin for Firefox. This allowed you to easily hijack a users session who was on the same network as you, write email from them, post on Facebook and Twitter etc. now with https enabled this cannot be done.

I mention Google as their gmail login was not vulnerable to this. They have moved to https to 'protect user privacy'. Personally I am not 100% sure about this.

Webxopt
  • 21
  • 1