Security and encryption are becoming bigger talking points lately for users of the web. Everyday there are new breaches, vulnerabilities and threats announced and it can be overwhelming to grasp it all. A question that is being raised more and more is why don’t we use the secure protocol for all websites, everywhere. HTTPS (HyperText Transfer Protocol) is what has been used by banking, shopping and other websites for two decades. This protocol encrypts the traffic between a user’s web browser and the website so hackers cannot see your sensitive information being sent back and forth.
With all these breaches and hacks why don’t companies use HTTPS everywhere?
There is a reason for that, actually there are several reasons why a company can’t and shouldn’t use it everywhere. The first reason is that encryption isn’t free. There is a financial cost, system processing cost and time cost. The financial cost is buying the encryption infrastructure to handle your encryption and if you use external certificates there’s a cost for each certificate. Using HTTPS adds processing time overhead for the back and forth handshakes, while our computers and broadband connections are getting faster it’s still added time and will slow things down. Also a trade off with HTTPS is caching, saving data for easier re-use. HTTPS would require to re-request items that normally would be cached locally. The last cost is time. All those certificates and infrastructure requires more maintenance, replacing expired certificates, dealing with handshake problems, etc…
Another downside to HTTPS everywhere is that HTTPS is certificate based to a domain. Using HTTPS is for one domain only. 1 to 1. If you host multiple subdomains, shop.acme.com and catalog.acme.com you would need certificates for each one. They have to match exactly to the domain being accessed otherwise you will get browser security error or not able to access the site at all. Facebook and Twitter both enabled HTTPS on their sites for everyone. They do not have that problem because their entire sites run off one base domain, www.facebook.com. Anyone with pages are ‘sub directories’ under the domain instead of sub-domains off the root.
The last big reason to why HTTPS everywhere isn’t quite ready yet is the coordination with your users/partners. You need to be sure that all those connecting can support SSL in their tools, surprising some don’t but this number is falling fast. If you expose APIs, have a public site with benign, non sensitive data, making sure the users can trust your certificates is vital. If you are using an industry standard certificate authority this is less of a problem. But if you create your own, you need to exchange files with your users/partners so they can trust your apps. If not, they won’t be able to access anything.
Google has been pushing for the wide use of HTTPS for the last several years. Google is even considering punishing regular HTTP sites by ranking HTTPS sites higher in their search results. The point is HTTPS use is growing. Whether it’s going to be the standard everywhere is still up for debate. Regardless, if you can I would recommend using it. If you have any web applications where users enter credentials of any kind, no matter what they are asking, you should use HTTPS without question. Even though you are asking people to login to get a free white paper, your users may not have their own security practices as strong as they should and use the same username and password for your site as they do for their bank. The first things hackers do with collected credentials is run them across the Internet seeing if they work elsewhere.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.