6

I've recently had the privilege of doing some traveling internationally, and I noticed that (particularly in Asia) HTTPS is very infrequently used, even on government and educational websites where users login and provide sensitive information. I did some reading on Wikipedia about the export of encryption technologies from the USA being a potential issue, but I was under the impression that utilities like OpenSSL were pretty much free for use everywhere, and that CA's were able to issue certificates to any countries that weren't considered to be "unstable" or "at odds" with either the UN or USA (not sure of specifics on this one). Knowing how easy it is for an attacker to sniff HTTP traffic on WiFi networks, I was shocked that these institutions weren't protecting their users by implementing HTTPS. And without identity confirmation, there's not even a guarantee that the users are in the right place, whether on WiFi or not.

So, for anyone with any experience in international web security themes, does anyone know why HTTPS isn't being used? Is there something else their users are doing to protect themselves that I'm just totally in the dark about?

Funktr0n
  • 161
  • 2

2 Answers2

1

I would say the US embargo and the cultural differences played a significant role, but there's also an undeniable level of sloppiness or lack of security awareness.

Though 40-bit SSL encryption has been available in Netscape since about 1995, many foreign banks who pioneered online payments might not have considered it safe enough. They often opted to use browser plugins to provide better encryption. The most famous is the Korean SEED system.

There's also a potential cultural thing where Asians like more ways of expressing themselves, so technical enhancements like emoticon, Flash and plug-ins/applets are potentially more acceptable. Due to competition, if one bank is offering a plug-in to secure online transactions, the others will likely follow suit. Since the banks are taking over the responsibilities, the merchants potentially invest less in security.

However, this does not completely explain why non-e-commerce sites do not use HTTPS. It is possible they looked at their banks for best security practice and noticed HTTPS was not being used. Maybe the general cyber-security education are not at the level of the western world yet. Maybe there are fewer high-profile attacks to Asian companies. Maybe the cost of obtaining a certificate is just to high (with local dealer fees and translation) for small/medium businesses. Maybe privacy laws are weak or nonexistent in certain countries and businesses have nothing to lose providing no encryption. Maybe because hosting is more expensive in Asia (you see a lot of HTTPS redirecting to HTTP).

The truth is we may never know, but come the day when most websites are HTTPS, it will be hard to find any site not supporting it anywhere in the world.

billc.cn
  • 3,852
  • 1
  • 16
  • 24
  • Interesting insight on SEED and browser plugins; had never heard of that, and was wondering if things like this were in use and I just didn't know about them. – Funktr0n Jan 05 '15 at 04:17
0

Many sites simply find that they can get away without using one. Several justifications can be used, one being that SSL certificates can be more difficult to acquire from trusted sources when they are overseas. Also, properly trusted certificates traffic can not be inspected by nosy firewalls that don't have access to the private key. So those firewalls will simply publish those sites on HTTP in lieu of HTTPS, this way there is no certificate warning.

blfoleyus
  • 41
  • 2