The Stride to Kill HTTP and Moving Towards More Secure HTTPS

Security is always going to be a concern when it comes to the Internet and digital communication. Exchange of crucial data across the Internet is no longer being done on HTTP. Back in 1989, when Tim Berners-Lee initiated the development of HTTP, the protocol was mainly developed for easily exchanging data. But as users started sending important and confidential data across the Internet, the urge for a secure connection was inevitable.

https-everywhere
A step towards a more secure web | Photo: Sashkin / Shutterstock

HTTPS was thus brought into action. Today, digital companies around the world are stepping together to make HTTPS the de facto protocol for the Internet. This is a huge step. And, it will take time for most of the Internet to move over to HTTPS.

But, the question is – Is it really necessary to do so? How secure is HTTPS today? And, what actions are being taken to make this happen? Well, let’s find out.

Killing HTTP and Promoting HTTPS

Well, if you’re thinking how insecure is HTTP and what is HTTPS then you should head over to our guide on secure web browsing. If you already know what these terms are, then let us surprise you by stating that one of the most eager company to kill HTTP is Google. It recently announced that it will start marking HTTP websites as Not Secure with a warning sign in Chrome’s address bar. Currently, it simply displays the message Connection is not private.

Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure. – Emily Schechter

This is not the only step taken by Google to promote HTTPS. Back in 2014, Google announced that HTTPS will be considered as a ranking signal to rank websites on its search engine. And since then, many web publishers have moved over to HTTPS. Though, it’s effect on the rankings has been very little. Even the Blogspot sites (the .com ones) on the Blogger platform have been moved to HTTPS.

http-non-secure
Image: Google Security Blog

Apart from Google, even Apple is leaning towards it by requiring iOS developers to force HTTPS connection for their iOS apps. Moreover, Facebook’s Instant articles services use HTTPS by default which makes the publisher’s pages secure even if they rely on HTTP. Such promotion and pressure from big tech companies will surely bring in not whole but at least half of the Internet over to HTTPS.

Okay, that’s enough of promotion and pushing. After all, what users want is security. But do you really get that security with HTTPS?

How Secure is HTTPS Today?

It’s not that secure. Here’s a detailed article by EFF on why it is not. No matter how many defenses the organization builds up, there is always a way to break in. It’s not totally safe.

HTTPS only makes it harder for the hackers to hack into.

The problem is that very few people are literate about this. The two basic things that HTTPS does is that it encrypts data and validates the website to see if it is really the web page that you asked for. This validation is done using Certificates. The certificate of the website is checked against 600+ authority certificates that your web browser can trust. So a potential hacker has to find a certificate among these through which he can break into.

Another flaw is that even if you’re on an encrypted connection, there are chances for an attacker to intercept your web traffic. These are the so-called Man-in-the-Middle attacks. An attacker can create a fake server certificate for validation. But browsers do show a warning that it’s a certificate that isn’t trusted.

fake-certificate-validation

If you hit the Proceed anyway button then your device is vulnerable to a Man-in-the-Middle attack. The attacker can intercept your traffic and can see the passwords being sent through the network. So, think before hitting Proceed anyway and don’t share any private credentials with such sites.

HTTPS might have its own flaws but it’s still secure. A strong encryption for an HTTPS connection might just be uncrackable for an attacker.

Switching to HTTPS

Some sites are just moving to HTTPS for the sake of SEO. Blogs and static sites usually don’t need to have HTTPS connection. Users don’t share any of their private credentials with them. However, Emily Schechter (Product Manager of Google Chrome’s security team) doesn’t agree to this. Here’s her talk at Progressive Web App Summit where she debunks some myths about HTTPS.

Moving to HTTPS today is not costly. In fact, you can get SSL certificates for Free. What actually might hinder anyone to switch to HTTPS is the performance loss, search rankings, and incompatibility with third-party content. However, as explained by Emily Schechter in the above video, you will recover your search ranking very soon and a few optimizations will help your site regain the performance back to normal.

Also, some features that Google Chrome and other browsers provide to websites like the Push Notifications and Geo-location tagging require HTTPS connection by default. Developers won’t have access to these features without HTTPS. In future, more features will be secured behind its wall.

It’s Going to be a more Secure Web

It’s for sure that within few years HTTPS will become ubiquitous and a bare minimum security for all the websites. For users, it’s a yay! But, if you are a site owner, will you move to HTTPS? What are your thoughts on it? Let us know in the comments or send tweets on @guidintech.

ALSO READ: Your Apps May Be Spying on You and This is What You Can Do to Prevent it

Abhishek Macwan

By

See more posts by this author.

Show CommentsHide Comments