HTTPS Everywhere

Mon, 22 Jun 2015

A customer of ours asked a few questions about TLS/SSL/HTTPS, and we thought our conversation would be a great time to kick off our Security blog.

First, let’s do a quick review of what we mean by Transport Layer Security (TLS) vs. Secure Sockets Layer (SSL) vs. HyperText Transfer Protocol Secure (HTTPS). For the purposes of this post, you can think of SSL/TLS and HTTPS as identical, but let’s first discuss the differences. Technically speaking, HyperText Transfer Protocol (HTTP) a request-response application level protocol typically used in web browsers (hence the letters HTTP at the beginning of the websites you visit). The “S” in HTTPS simply means that the HTTP protocol is now being secured with an encrypted TLS/SSL tunnel.

Why “TLS/SSL?” Technically, we should be using “TLS” and not “SSL.” TLS is the more recent version of what began as the SSL protocol. When SSL reached version 3.0 it became TLS 1.0 (you can think of TLS 1.0 as “SSL 3.1”). Why the name change? Netscape originally developed the SSL protocol in the early 90s, but the last version (SSL 3.0) was released in 1999 by Netscape. With a Request for Comment (RFC), the Internet Engineering Task Force (IETF) wanted to standardize SSL across the Internet and developed a new (but very similar) standard called TLS. Although the name was changed, “SSL” continues to stick in everyday conversation these days (which is why we continue to use SSL in this blog post instead of TLS). Although legacy support for SSL still exists across the Internet (which is why the POODLE vulnerability also exists!), when you hear about SSL, the person is more likely than not actually referring to TLS. Now that we’ve cleared up the technicalities, on to the blog post!

As a purely informational site with no e-commerce presence, “why should I use HTTPS?” we were asked. What is the point of taking on the increased administrative burden of installing an SSL certificate on your web server (or load balancer)? There is, of course, a chance that you could forget to renew the SSL cert upon expiration (and end up like Instagram or Apple). There is also the cost — you’ll end up spending in the low hundreds of dollars per year (although a nonprofit company is trying to change all of this — we’ll provide more analysis on Let’s Encrypt in a future blog post!). So if your site is not dealing with any sensitive information, why bother? Here’s why:

• Search Engine Optimization (SEO): Last summer, Google announced that they would be favoring SSL sites in their search results. Of course, no one knows by how much in their proprietary algorithm, but we do know that using SSL on your site will provide enhanced SEO for your site. For most all informational sites, SEO is paramount to driving traffic; this reason alone should drive you to adopting SSL, but there are more reasons…
• Reputation and User Visibility: A quick search across the Internet will lead you to a number of case studies from SSL certificate vendors on the increased sales and conversion rates when using EV SSL certificates or just SSL in general (EV = Extended Validation, which is a type of SSL certificate requiring increased validation by the provider. This type of certificate portrays a “green bar” in the web browser indicating additional validation and security). Although you may not be selling anything on your site, the point is that users are increasingly noticing SSL in the address bar. This gives your site a better reputation in the eyes of the user.
• SECURITY! Even if you are not hosting an e-commerce site or accepting forms of sensitive data, using SSL will still significantly increase the security of your users by preventing snooping and various attacks. Users surfing the web on a public Wi-Fi hotspot (e.g., Starbucks, hotels, etc.) are vulnerable to packet sniffing — this means attackers can very easily see all traffic going over that hotspot unless it is encrypted with SSL. Using SSL also significantly reduces the risk to a man-in-the-middle (MitM) attack by leveraging end-to-end encryption between the user’s web browser and the server to which it connects. This means the traffic cannot be modified by attackers.

For example, in the spring of 2015, you may have heard about the “Great Cannon” of China, which was used to perform a Distributed Denial of Service (DDoS) attack on on GreatFire.org (an anti-censorship site), as well as a GitHub repository for the Chinese New York Times (with mirror links published through GitHub to avoid Chinese censorship). In this “Great Cannon” attack, which most all organizations other than Chinese authorities have accepted as a government-sponsored attack, users who visited certain unencrypted sites were attacked with malicious JavaScript. The malicious JavaScript is injected into insecure traffic traveling over the Chinese Internet backbone. In simple terms, if a user visits the popular Chinese search engine Baidu.com (not secured by SSL), traffic can be intercepted via a MitM attack leading to malicious JavaScript injections. The malicious JavaScript then causes the browsers of those attacked to repeatedly load the target sites (the aforementioned GitHub repository and GreatFire.org). This leads to a massive DDoS, unbeknownst to the end users who are technically the source of the DDoS. These types of attacks can be mitigated with a secure, end-to-end connection, which is what SSL provides; with HTTPS, attackers cannot modify traffic and the JavaScript injections would not be possible.

Due to these advantages, we strongly recommend that all sites use SSL certificates, regardless of whether or not sensitive information is being transmitted.

If you have any questions on use of SSL certificates (e.g., how do I secure my site with SSL? Why is Chrome telling my customers that my SSL certificate uses “obsolete cryptography?”), we are here to help! Email us at security@trek10.com for more information.